14:00:08 #startmeeting neutron lbaas 14:00:09 Meeting started Thu Sep 18 14:00:08 2014 UTC and is due to finish in 60 minutes. The chair is dougwig. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:10 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:12 The meeting name has been set to 'neutron_lbaas' 14:00:19 hello 14:00:20 morning lbaas 14:00:25 morning 14:00:29 agenda: 14:00:31 #link https://wiki.openstack.org/wiki/Network/LBaaS#Meeting_18.09.2014 14:00:43 o/ 14:00:54 #topic Announcements 14:00:56 a few items to highlight from the neutron meeting 14:01:08 fyi, freenode was hacked: 14:01:10 #link https://blog.freenode.net/2014/09/server-issues-2/ 14:01:20 o/ 14:01:35 and i'd like to highlight the octavia review query link: 14:01:37 #link http://bit.ly/1wqy47t 14:01:44 any other announcements? 14:02:10 moving on 14:02:13 #topic Incubator update 14:02:13 o/ 14:02:23 mestery, any updates for us? 14:02:53 dougwig: Did markmcclain talk to you or sballe? 14:03:05 dougwig: He was supposed to, if he hasn't, then no updates. 14:03:14 hello 14:03:17 i can't speak for sballe, but i haven't heard from him 14:03:20 sballe is running late 14:03:30 and might not make this meeting 14:03:33 i havent heard anythign either 14:03:34 dougwig: OK, no update now, lets wait for sballe (I'm talking to her later today for a different issue) 14:03:41 ok 14:03:51 #action mestery to resolve neutron incubator issues this week 14:03:57 moving on to another item of note from the neutron meeting... 14:03:59 #topic Kilo Design Summit Etherpad 14:04:09 details of the design summit planning are out 14:04:10 #link http://lists.openstack.org/pipermail/openstack-dev/2014-September/045844.html 14:04:19 here is the etherpad for neutron: 14:04:20 #link https://etherpad.openstack.org/p/kilo-neutron-summit-topics 14:04:33 and the overall link to all etherpads: 14:04:33 #link https://wiki.openstack.org/wiki/Summit/Planning 14:04:39 Neutron sessions will be on Wednesday and Thursday, Cross-project track is Tuesday, Friday is for program pods 14:04:44 go forth and edit. 14:05:08 how would a project get a session? 14:05:13 those LBaaS sessions are v1, v2, or Octavia? 14:05:34 lbaas udp? 14:05:35 LBaaS udp 14:05:35 LBaaS HA 14:05:35 LBaas Monitoring and alerting 14:05:35 LBaaS - Security groups 14:05:46 of course 14:06:29 mestery: should octavia sessions be in the neutron etherpad, or somewhere on their own? 14:06:48 dougwig: Put them in the neutron pad for now if that makes sense 14:06:53 dougwig: We'll see how it falls out. 14:06:54 since there is one for v2, I suppose those are for v1 or just a LBaaS and general 14:06:55 Make sense? 14:07:25 since we are LBaaS I am puzzled who put them in 14:07:25 if we're putting network program items in that one, it makes sense to me. 14:08:07 someone put in lbaas udp? haha, sweet. :) 14:08:33 i thought it'd of been you 14:08:48 wasn't me :-) 14:08:50 Huh. 14:08:54 does anyone want to brainstorm what sessions we want/need here? time is limited, so we'll want to be pretty crisp in what we request. 14:08:58 maybe it was mestery? :P 14:09:05 anyhow should we change LBaaS HA -> Octvia HA 14:09:19 I think it was markmcclain :P 14:09:22 im not sure we know exactly what we will want to discuss when that time comes 14:09:40 blogan: that implies that maybe we just want to aim for the pods? 14:09:53 well, we want to sort of approve the bleuprints for our first release 14:09:59 * TrevorV keeps seeing lbaas udp... is that serious? 14:10:04 dougwig: i thnk we'd get a lot more done there 14:10:52 Are the pods more informal? I worry that we'd miss out on people attending who don't know as much about Octavia if we're meeting ad-hoc in the pods. 14:11:01 +1 14:11:07 sbalukoff: yeah you're probably right 14:11:35 are we at the point where having 100 people attend is useful? i personally don't want a huge session without a crisp focus just because we want a large group 14:11:36 though I don't see octavia getting approved for a design session, but it doesn't hurt to try 14:11:46 Are we ok with the proposed LBaaS topics? Should they be Octavia topics? 14:12:13 I am missing stuff like L7 we used to work on... SNI 14:12:27 I don't even know what all host LBaaS topics are about: We certainly haven't seen them discussed here or on the ML in the last month. 14:12:42 personally, i think there are too many proposed right now. 14:12:46 They should be Octavia topics, eh. 14:12:46 and that worries me since we are LBaaS 14:13:01 well we definitely need to talk about v2 14:13:02 xgerman: +1 14:13:11 blogan: perhaps your "agent for all drivers" proposal? 14:13:29 i thought you weren't a fan of that 14:13:31 exception/error model 14:13:37 who is "pcm"? 14:13:52 xgerman: the agent for all drivers would lead to that 14:13:57 blogan: heh, i'm not a fan of broccoli either. people still eat it. 14:14:49 blogan put it on the agenda 14:15:33 In any case, I think we can come up with some Octavia-specific design summit ideas and add them here. what's the deadline for adding new stuff? 14:16:10 check the ML link. 14:16:19 So LBaaS UDP was a serious topic? 14:16:30 TrevorV: I can't imagine it is. 14:16:38 Its on the list... 14:16:44 But I don't know who 'pcm' is, who I think added it. 14:16:44 TrevorV: i don't think so. mark is still planning that one at a bar, afaik 14:16:45 I think that was the "meet everyone for LBaaS in a pub and have a beer" session :P 14:16:55 aaah, I forgot about the location reference 14:16:56 :D 14:17:13 yeah, UDP is our LBaaS party ;-) 14:17:17 any last comments here, before we move to a related topic? 14:17:28 LBaaS "Underground Downtown Pub"? 14:17:30 what are LBaaS security groups? 14:17:43 xgerman: Yeah, I was wondering that, too. 14:18:30 I guess nobody here knows. XD 14:18:34 Funny. 14:18:44 #topic Summit meetup 14:19:00 who's going to paris, and is someone willing to plan an evening get together? 14:19:11 I'm going. 14:19:16 i'm going 14:19:19 me, too +sballe 14:19:24 rackspace is in limbo right now. 14:19:28 heh.. 14:19:30 I could check with my team to see if Blue Box wants to host. 14:20:08 i still have not heard any definitive answer to the limbo we are in about going to Paris 14:20:53 we'll put up a cardboard cutout of you during your talk window. 14:20:54 I am pretty sure at the least blogan, crc32 and I are going, since we already bought tickets... 14:21:18 Samuel, Avishay and myself are going, as for now 14:21:19 but hopefully they get their shit together and a2hill goes as well 14:21:42 at best it would be a2hill,blogan,crc32, and rm-you. a2hill has priority over me on this one. But at worst no one. 14:22:14 idk if id be the most useful to go, so if they have a lottery ill give up my position to someone that may be more useful. i.e. adam 14:22:27 Speakers who were not chosen still have the opportunity to present a Tech Talk in the #vbrownbag room. Apply here. 14:22:28 hopefully that's not the case 14:22:48 xgerman: do you have a link for that? 14:23:01 http://openstack.prov12n.com/techtalks-at-openstack-summit-paris/ 14:23:06 xgerman: yeah do i need to sign up? I figured maybe it was like, sign up at the door 14:23:17 #link http://openstack.prov12n.com/techtalks-at-openstack-summit-paris/ 14:23:23 rm_you: you want to sign up early. 14:23:48 yeah, we should put some of the talks which got voted down there (e.g. Octavia) 14:23:48 k 14:23:55 #topic Open Discussion 14:24:10 I am late, just joined. was incubuter discussed? 14:24:19 #action sbalukoff to check with Blue Box team to find out if Blue Box wants to host evening get-together somewhere. 14:24:20 yes, same as last week 14:24:30 yeah I was going to do "Barbican Integration for Certificate/Key Storage in Neutron and other Openstack Services" 14:24:59 rm_you: Go for it! 14:25:11 I suppose I could give a talk on Octavia. 14:25:20 +1 14:25:33 We could try collaborating on one-- though I don't know if they're set up for two people on camera. 14:25:33 yeah, I can speak to that, too :-) 14:25:56 you guys can snuggle up in the camera view, right sbalukoff ? 14:26:08 #action sbalukoff to sign up for vbrownbag talk on Octavia. World rejoices. 14:26:13 Haha! sure! 14:26:21 lol 14:26:29 Who wants to photobomb an Octavia vbrownbag talk? 14:26:54 We should totally cycle through like 5 people during the 10 minutes we have. XD 14:27:00 Oh, speaking of which, I still owe the ML some diagrams and such about the Keystone/Barbican/Neutron interaction stuff, but it keeps freaking changing 14:27:44 and on that topic, how violently will people be willing to fight against "requiring the user to set up a Trust on their own in advance, probably using a provided template"? 14:27:55 -1 14:28:04 that's not user friendly 14:28:05 okay, so xgerman isn't going to fight, that's nice 14:28:25 xgerman: *I* know that and agree 14:28:32 it has precedent if horizon can make it look like an android app install permissions request, but overall, it's fairly silly. 14:28:34 but if people don't want to back me, I won't fight it 14:28:39 rm_you: Eew? 14:28:55 it's looking more and more like that's going to be the future requirement 14:29:11 tell us what link to show up on and drop a mountain of -1's. 14:29:12 even if we get away with doing it temporarily ourselves, in the end that is going to be the only way 14:29:29 yeah we can put in -1's 14:29:33 rm_you: And that will be the case for all consumers of that functionality, right? (VPNaaS as well, for example)? 14:29:35 dougwig has the right idea 14:29:44 People are not liking having user set up a trust? 14:29:45 well, if we REALLY strongly object, then I could use more heads working on this issue -- we need to figure out a secure way to do it that the keystone folks will agree is ok 14:29:49 sbadia: yes 14:29:50 err 14:29:52 sbalukoff: yes 14:29:54 but would rather have it done for them? 14:30:18 well, the problem is the first BP that'll come up for it will be mine, for doing it that way because there's no alternative 14:30:38 not sure piling -1s on that is constructive :P 14:30:59 it's claer what's needed and they are not giving it to us 14:30:59 q-2? 14:31:11 we need to figure out a secure way to make it work that we're all ok with... tell you what, I'll send out a mail with what I have so far, TODAY, and detail the issue, and maybe we can get some good ideas flowing 14:31:27 a2hill: well, is there any other openstack service where you have to go set up boilerplate first? alternately, can you imagine how much fun that will be when it's wired into 20 different things? 14:31:31 rm_you: Good idea! 14:31:56 rm_you, +1 14:32:05 rm_you: +1 14:32:11 i'm starting to feel like mestery/mark, promising you info and then disappearing for weeks :P 14:32:14 I'm heading in. see you guys in a little bit. 14:32:18 * rm_you prods mestery 14:32:20 Ouch. 14:32:35 all in good fun 14:32:36 lol 14:32:38 anyway, yeah that's it 14:32:42 :) 14:32:47 Is the topic over? 14:32:57 Open Discussion? 14:33:05 it's open discussion. do you have something? 14:33:23 vijay7? 14:33:24 yes, want to know if there is anyone who has tried setting up HA on a backend 14:33:42 this is what we are doing Octavia for 14:33:49 yes, but for me, it's cheating. in what context? 14:33:58 dougwig, why would want to allow another service generate a 'trust' that is supposed to be secure. If I allow that service to use it, well thats a different story 14:34:07 vjay2: Not in the context of Neutron LBaaS specifically, but I know our Neutron installs we do HA. (And lots of other non-OpenStack stuff throughout our networks.) 14:34:15 You had to set up an account to get access to the entire service initially 14:34:47 have to make request to get token, so can we take an account id and get the token for them so they dont have to do that either? 14:34:53 dougwig / a2hill: yeah, it's pretty much a security/usability tradeoff balance, as always 14:34:58 :/ 14:34:59 a2hill: if i'm an end user, i already trust all of openstack. i don't know it's a bunch of little fiefdoms, nor do i care. my trust happens when i register. 14:35:12 fair enough 14:35:24 dougwig: +1 14:35:27 a2hill: this exposes openstack warts/architecture to the end user, is all. 14:35:42 Which is usually considered "bad" 14:35:49 if there are 2 backends that has to be configured for HA. we need to create additional ports servering the same VIP. Other than the port created for VIP by the LBaaS plugin. 14:36:13 vjay2: There are a couple ways of doing this, IIRC. 14:36:36 I guess i don't see that as a wart, but I get the points you are making dougwig 14:36:48 +1 we shall battle? 14:36:51 IIRC? 14:37:00 if I recall correctly. 14:37:01 if i remember correctly 14:37:03 or that 14:37:15 ok :-) 14:37:26 would like to know more about it 14:38:34 Sorry, trying to remember exactly how it's done (it's early). I seem to recall one of them uses a specific Neutron plug-in to accomplish it, but I'm not remembering which it is right now. 14:40:08 it also depends on the HA. if you have a pair of HA appliances that will mimic at the L2 level, nothing. at the L3 level, you can add static routes to the subnets on the hardware appliances, or trust implicit routing and make sure that's setup, or plumb in additional ports. 14:40:27 or whatever method sbalukoff is going to suggest. 14:41:13 How do you make it mimic? 14:41:30 ports are created with their own IP address right? 14:42:16 Basically there are 2 issues. (1) How to allow the extra port created to allow IP address in addition to what it was created with. (2) Are there security policies or throughput restrictions applied on the port created for VIP by LBaaS plugin 14:42:49 Gah... I'm not coming up with it. 14:43:07 I'm going to have to check with Dustin or something when it's not gawd-awful early. :P 14:43:15 vjay7: the answer to your first question is something like vrrp between the hardware, which is out of scope of lbaas. 14:43:21 (2) no 14:43:25 (2) Neutron per se only allows one port per VIP -- so you would need to switch off the anti-spoofing or add a plugin 14:43:50 also depends on if you're talking active-active or active-standby 14:44:11 it is active-standby 14:44:40 then one port per vip is fine, you just have to flip it when a failover happens. 14:45:18 assuming you can quickly flip N thousands quickly. 14:45:43 flip meaning attach the ports to the standby instance? 14:45:52 is this with an appliance or with the haproxy driver? 14:46:07 it is with NetScaler appliance 14:46:39 are they doing HA of some kind between themselves, or are you just trying to run two of them in parallel? 14:47:14 they will do HA between themselves. When hearbeat between the appliances fail, the slave will takeover 14:48:03 ok. can we move this conversation to the lbaas channel after the meeting? 14:48:11 ok 14:48:23 any other open discussion? 14:48:55 i put up a spec for the octavia operator-api 14:49:03 yeah!! 14:49:07 not neutron lbaas related 14:49:34 * blogan likes to make xgerman happy 14:49:37 if we want octavia to be the ref backend, i consider it neutron lbaas related. 14:49:55 we do want to make it that ;-) 14:50:40 last chance for discussion, or we'll end early... 14:51:18 a dumb question. I have not been active in the MLs. Was there any news on incubator stuff and its process? Any links to read 14:51:27 Will projects in incubation be packaged but default switched OFF and any admin can turn it on? 14:51:46 vjay7: you are just as ifnormed as we are without being updated for the last 2 months 14:51:47 as far as i know, this is the latest info: 14:51:49 #link https://wiki.openstack.org/wiki/Network/Incubator 14:52:13 thanks! 14:52:54 ok, let's let stephen get back to sleep. 14:53:03 #endmeeting