20:00:30 #startmeeting Octavia 20:00:31 Meeting started Wed Jun 14 20:00:30 2017 UTC and is due to finish in 60 minutes. The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:32 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:35 The meeting name has been set to 'octavia' 20:00:42 Hi folks 20:00:54 o/ 20:00:55 Hi 20:01:12 #topic Announcements 20:01:20 We are heading towards feature freeze Pike-3 July 24th 20:01:27 #link https://releases.openstack.org/pike/schedule.html 20:01:27 o/ 20:01:50 Please keep that in mind. We are in the last stretch of Pike. 20:02:14 p/ 20:02:16 o/ 20:02:25 Also of note, the TC ran an analysis on project activity 20:02:30 https://www.irccloud.com/pastebin/gy1jZ2Xg/ 20:02:42 #link https://etherpad.openstack.org/p/9YSc50YgUb 20:02:47 The link is the full list 20:03:28 It does show a slow down in contributions to octavia. 20:03:39 OSIC.. :< 20:03:49 Though it's not as bad as some other projects that are in the 60% drop rang 20:04:10 Some OSIC, some other contributors moving off working on OpenStack 20:04:21 Just thought I would share the numbers 20:04:28 yeah, I think OpenStack is really hurting for devs 20:04:30 really? 20:04:34 we are + on contributors 20:04:43 Yep 20:04:51 By one 20:04:55 and yeah only -8% commits merged, but 20:04:56 that's actually surprising 20:04:57 Y-o-Y 20:05:03 because we merged SOOOO much stuff 20:05:44 Yeah, the numbers are probably a bit skewed due to the point in time the project is at. Early projects are going to have high commit rates 20:06:35 Also of note, we released 1.0 version of the openstack client plugin package for Octavia v2 API. Nice job! 20:07:01 Stats, status, and quota are left to do there, but otherwise it should be pretty complete 20:07:20 JudeC, well done! 20:07:32 #link https://pypi.python.org/pypi/python-octaviaclient/1.0.0 20:07:43 :) 20:07:58 Yeah, super handy to have 20:08:10 nice 20:08:12 Any other announcements? 20:08:18 +1 20:08:41 #topic Brief progress reports / bugs needing review 20:08:56 I want to highlight a couple of open specs: 20:09:02 l3-active-active spec 20:09:09 #link https://review.openstack.org/453005 20:09:15 flavors spec 20:09:21 #link https://review.openstack.org/392485 20:09:34 reviewed both 20:09:42 have some q in OpenQ 20:09:48 These both could use more reviews (credit to xgerman_ for his recent review comments) 20:10:02 reviewing flavors today 20:10:14 yes, thanks for the input 20:10:29 As for progress updates, I jumped into finishing the RBAC implementation for the Octavia v2 API 20:10:55 i've been making a personal push towards better work/life balance recently... so, i haven't been able to get to those big specs yet :( 20:11:04 I am making decent progress. I do have a discussion item for later in the meeting on the policies. 20:11:44 I will also be getting back to finishing the api-ref. I have the l7 apis and quotas to finish 20:12:04 #link https://developer.openstack.org/api-ref/load-balancer/ 20:12:15 In case you have not seen the new api reference docs 20:12:33 Any other updates? 20:13:01 #topic Discuss RBAC policies 20:13:08 I think we are in a spot where we can start reviewing the octavia-proxy in lbaasv2 20:13:32 (if we load it on top jude’s filter stuff) 20:13:38 Ok, quick question for the team. Most projects have simple "admin or owner" policies defined. 20:13:59 xgerman_ Cool, need to find time to check that out and review the filters again 20:14:14 thx 20:14:21 Nova team has proposed making this a bit more granular 20:14:27 #link https://review.openstack.org/#/c/427872/19/specs/pike/approved/additional-default-policy-roles.rst 20:14:45 Interesting parts start around line 144 20:15:16 Basically instead of just Admin/not admin they are proposing a "observer" or read-only policy level 20:15:57 It would also mean the project would have project specific roles that could be loaded up into keystone. 20:16:18 "load-balancer_observer" for example. 20:16:25 Thoughts on this? 20:17:45 Or, should we just follow most other projects and have simple "admin_or_owner" style rules 20:17:47 ? 20:18:11 #link http://docs-draft.openstack.org/72/472872/7/check/gate-octavia-docs-ubuntu-xenial/68c5715//doc/build/html/main/policy.html 20:18:51 That is part of my WIP patch. I have only done LBs so far 20:19:13 johnsom: i think the observer stuff is standard? 20:19:16 i have seen it a lot 20:19:24 at least in barbican 20:19:29 but maybe barbican's model is non-standard 20:19:48 https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json 20:19:54 Right, this is OpenStack, standard has 50 meanings... Grin 20:20:03 lol 20:21:15 No comments? 20:22:06 I think I like what nova is doing 20:22:38 Cool, thanks for the input 20:22:46 I think having read only makes sense 20:22:58 if you want to only give visibility and not any other access 20:23:35 nmagnezi Any comments from a packager? 20:24:21 johnsom, mmm.. i'll have to look more about this before I can comment. sorry :\ 20:24:27 Ok 20:25:15 Well, I might head down the path that nova is proposing because I kind of like it too. If you have comments please put them on the patch (sooner would be nice, grin). 20:25:36 #link https://review.openstack.org/#/c/472872/ 20:25:45 I think it gives more flexibility to the operator 20:26:05 Which I am always of fan of empowering the operators 20:26:23 #topic jsonschema blueprint 20:26:31 #link https://blueprints.launchpad.net/octavia/+spec/jsonschema-api-validation 20:26:43 We brought this up last week 20:26:55 It is a proposal for an alternative to WSME. 20:27:13 Any new comments? Did people have time to investigate? 20:28:05 i still like voluptuous 20:28:22 but don't have any other comments besides "this is suuuuper low priority" 20:28:37 Can you comment to that blueprint you feelings? 20:28:50 Yeah, I am kind of in the "Is this necessary now" camp 20:28:54 there's definitely issues with the WSME stuff (especially that I ran into around single-create) but it's already been worked around, so 20:29:12 if someone wants to contribute that work, and would otherwise not work on octavia at all, then go for it :P 20:29:22 but if you're going to do SOMETHING on octavia, please don't do that 20:29:22 Yeah, it also has some strangeness with exception handling, but it seems to *work* 20:29:57 Ok, let's capture comments there and move on 20:30:12 #topic Proposal to move Octavia to storyboard 20:30:19 #link https://storyboard.openstack.org/ 20:30:28 Another carry over from last week. 20:30:53 I looked at this a bit. Folks that have used it seem to think there are still some issues to be worked out. 20:31:02 i asked a team mate who work on neutron about this 20:31:13 he was not too familiar with it 20:31:31 just replied that he does not understand the justification 20:31:48 I think we should delay this to Queens-1 at the earliest as I think we have more important things to work on and I don't want to disrupt the Pike release. 20:31:50 so.. not a lot of info there.. 20:32:08 yeah, sounds like a good call 20:32:22 It's a migration, unknown gotchas, and learning a new tool, so.... 20:32:38 and overall it would be nice to see feedback from projects who already migrated.. see how is it working for them 20:33:08 #link https://storyboard.openstack.org/#!/project/list 20:33:11 It's a short list 20:33:34 Oh, nevermind, the scroller is in the corner. 20:33:41 It must be all projects loaded 20:34:47 The one plus is I guess it doesn't go out to lunch like launchpad does with bugs that have a lot of people on them. 20:34:56 That is annoying, but rare 20:35:17 i'm always surprised to discover new names for projects in openstack.. seem like ppl start a new one every day :) 20:35:43 Yeah, or they are long forgotten projects... 20:36:02 Ok, I will reply that we aren't ready to make that move in Pike 20:36:07 #topic Open Discussion 20:36:07 ack. 20:36:13 Other items today? 20:36:42 the uwsgi stuff is causing me some headaches with devstack. 20:36:46 oh yeah, I wanted to talk flavor 20:37:12 I built a fresh VM and the openrc was not configured right for the new keystone URL path. 20:37:13 o/ 20:37:29 I also found that last night uwsgi was running 100% cpu 20:37:34 So, yeah, pains 20:37:42 xgerman_ Go for it 20:37:56 https://review.openstack.org/#/c/392485/8/specs/version1/flavors.rst 20:38:22 oh, logging 20:38:24 so it is propsoed to sye some complex database scheme to store keys and values which are set on flavors 20:38:27 i wanted to discuss logging 20:38:51 xgerman: thx for the review 20:38:53 rm_work ok, that will be next 20:38:54 also -- aren't most of these done: https://bugs.launchpad.net/octavia?field.searchtext=Align+octavia+api&search=Search&field.status%3Alist=NEW&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.assignee=&field.bug_reporter=&field.omit_dupes=on&field.has_patch=& 20:38:56 field.has_no_package= 20:38:57 ugh 20:38:58 long link 20:39:01 I am a bot worried that is overengineered 20:39:48 we could reduce the number of tables, it all depends on what experience we would like to provide to the operator who will be creating the flavors 20:39:52 rm_work Yeah, I need to go through those and see if we met the criteria to close out 20:40:27 cpuga our original design was just some metadata text field to put the values in 20:41:00 but maybe we should defer until everybody had. a look? 20:41:22 I would like to see flavors be a self-contained standalone container for key/values, and be potentially FK’ed from any primary lbaas resource, such as listener, pool, healthmonitor. Not just the loadbalancer. 20:41:47 as long as the design doesn’t prohibit that as a future enhancement.. 20:42:22 the flavor is a framework which could in theory be applied to any compoent 20:42:29 +1 20:42:39 great 20:43:04 Hmm, there is a good point here though, with a more structured table we could expose some "discover-ability" about the flavor as opposed to making the operator document that outside of the implementation. 20:43:13 except for the lb_topology_name field, which seems to be lb specific.. 20:43:38 I felt the concept of lb_topology would apply to all providers at a minimum with "single" topology support. 20:43:44 what do you guys think? 20:43:59 if the flavor was a json schema, it would provide the documentation, and allow ocatvia to perform generic schema validation 20:44:53 for best user-experience through CLI commands (instant error-checking, instead of delayed FAIL status whenever the provider driver gets around to ACK’ing the request) 20:44:58 I think to some degree it is up to the provider to interpret the contents of the flavor. 20:45:34 I read something in the new spec that made me think it shifted away from json to a more binary structure 20:45:45 json schema could be submitted as a value 20:45:45 if the vendor meta-data can still be json then I’m fine 20:46:11 well, it lays it out as key value 20:46:21 that would be overkill for just some json 20:46:26 cpuga: is lb_topology a new octavia-ism? 20:47:04 Yeah, the key, value, thing seems to be contrary to the json schema 20:47:25 m-greene We have had topology as a configuration setting since Mitaka 20:47:43 m-greene: lb_topology is an octavia table 20:47:54 It's for all LBs now, but should be configurable via the flavor instead 20:48:08 ok- that’s why I don’t recognize it.. our vendor driver is still only neutron_lbaas 20:48:46 so then would we care about it once a vendor runs under octavia? or since it allows NULL we can simply ignore the field 20:49:10 Ok, I think I want to read through this and comment on the patch. Any other discussion we need on it before we move on to logging? 20:49:21 I am good 20:49:36 rm_work logiing? 20:49:56 well, the spec is actually someone else's 20:49:59 m-greene It might be something that becomes legacy or yeah, is ignored by the providers. 20:50:03 or ... is it code actually, i forget 20:51:16 #link https://review.openstack.org/#/c/471682/ 20:51:23 (or does johnsom have to #link) 20:51:40 Nope, you can too I think 20:51:49 the bug: 20:51:51 #link https://bugs.launchpad.net/octavia/+bug/1665069 20:51:52 Launchpad bug 1665069 in octavia "Support of haproxy log aggregation capabilites" [Wishlist,In progress] - Assigned to Ganpat Agarwal (gans-developer) 20:52:29 Yeah, so this has some work to do. 20:52:55 I was going to recommend we make the logging situation be handled by syslog rather than haproxy, as it's a bit more standard and would allow for a customizable syslog config -- and that also allows for aggregating both log types separately 20:53:03 but wanted to see other people's opinions 20:53:03 First, we need to decide how we want to tag them with the LB ID and probably project_id? 20:53:22 basically, i think going straight to code here was maybe a bit hasty 20:53:28 though code always appreciated :P 20:53:41 what can people learn form the logs anyway? 20:53:42 just in this case, I don't know if I agree with the direction so I feel bad if there's effort wasted 20:54:15 xgerman_: to tell you the truth i don't really know, other than maybe debugging some stuff if your app isn't working right? :/ 20:54:22 but I know that customers always seem to ask for it 20:54:37 very true - those pesky customers 20:54:41 Right, they want the per-connection logs to debug messed up deployments 20:54:43 and auditing 20:55:21 ok, I am with @rm_work and syslog 20:55:51 I guess I envision bouncing them through the local syslog to allow some limited spooling 20:55:53 but everybody does logging differently and some might want to throw a fluentd on each amphora 20:55:56 yeah, and i am kinda envisioning a whole [logging] config section, a template path for custom syslog templates, etc 20:56:19 Yeah, we will need to setup the log format inside haproxy too 20:56:33 I think this is our action-item 20:56:35 obviously people are welcome to do their own elements for their own completely custom solution 20:56:42 Right 20:56:47 philosophical discussion… is logging for developers to understand bugs coming from operators, or for operators to self-diagnose and use some reference manual to identify remediation? 20:56:55 yeah, we can expose the haproxy log format as config 20:56:56 with a reasonable default 20:57:14 m-greene it’s for users debugging their apps — 20:57:17 m-greene: i think it's for developers to understand bugs coming from developers? 20:57:22 m-greene We are mostly talking about user visible per-connection logs 20:57:30 and also maybe statistics stuff for usage? 20:57:59 in my firewall days, logs are required by certain companies for audit purposes 20:57:59 in our case it would be for application teams to debug / statistics / analytics 20:58:08 HIPAA 20:58:11 ^^ yeah those are the use-cases i've heard 20:58:13 so we should propose/template a format and maybe give a reference (syslog) and leave the rest to the operator 20:58:20 yep 20:58:30 though i think syslog will be generic enough to cover 90% of cases 20:58:54 One case I know this was useful in the past, some idiot used libcurl without configuring it. They were downloading large files over small pipes. By default libcurl closes the connection idle or not after 5 minutes. This log would show the client closed the connection and the LB or server did not fail the connection. 20:58:54 syslog can send logs basically anywhere these days 20:59:19 johnsom: I take great offense at being referred to as small. 20:59:29 well, we also need to account for people wanting to ship certs on the a,mp to secure the communication, etc 20:59:40 Right, and proxies for syslog are available for the lb-mgmt-net 20:59:57 jaypipes Ha, no offence intended 21:00:04 johnsom: :) j/k 21:00:07 lol 21:00:14 so octavia needs loging for security audit purposes… also see emergency alerts, utility billin 21:00:24 Ok, out of time. More discussion in the channel or on the patch..... 21:00:30 #endmeeting