20:00:02 <johnsom> #startmeeting Octavia
20:00:04 <openstack> Meeting started Wed Oct  3 20:00:02 2018 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:07 <openstack> The meeting name has been set to 'octavia'
20:00:25 <johnsom> Well, we can work around it. It's just annoying.
20:00:27 <xgerman_> o/
20:00:31 <johnsom> Hi folks
20:00:32 <xgerman_> yep
20:00:45 <cgoncalves> hi
20:01:04 <johnsom> #topic Announcements
20:01:11 <johnsom> We have new TC members
20:01:16 <johnsom> #link https://governance.openstack.org/election/results/stein/tc.html
20:01:26 <xgerman_> yep, evrajdip made it ;-)
20:01:53 <johnsom> These are year terms, so only half of the TC is new.
20:01:57 <nmagnezi> o/
20:02:03 <johnsom> Also in good news:
20:02:07 <nmagnezi> (Sorry to be late, connection problems)
20:02:12 <johnsom> Octavia has completed the Python 3 by default community goal!
20:02:21 <johnsom> #link https://storyboard.openstack.org/#!/board/104
20:02:22 <xgerman_> yeah!!
20:02:41 <johnsom> We are the first service project to finish.
20:02:59 * xgerman_ victory lap
20:03:33 <johnsom> Thank you to everyone that reviewed the patches, did py3 work, etc.
20:03:43 <johnsom> Any other announcements today?
20:04:02 <xgerman_> oh, that would be me
20:04:31 <xgerman_> I have to focus more on our k8s business and so have to reduce my OpenStack inbolvement
20:04:47 * johnsom is sad
20:04:49 <nmagnezi> :'(
20:04:52 <cgoncalves> noooo!
20:05:12 <xgerman_> :-(
20:05:16 <colin-> thanks for all the work recently seen you submitting a lot i feel like
20:05:39 <xgerman_> I managed to avoid a hard break but will be here a bit less in the future
20:05:40 <johnsom> xgerman_ was part of the founding team for the project.
20:06:38 <xgerman_> yeah, techncially only johnsom is left 100% on the project
20:06:48 <johnsom> So I understand you will still be around and may do some reviews every once in a while.
20:07:06 <johnsom> Well, I think 100% might be a bit generous, but it is a core part of my job.
20:07:07 <xgerman_> yeah, I hope to spend a couple of hours a week here
20:07:15 <cgoncalves> xgerman_, thank YOU! we all hope to see you still around and contribute with your ideas
20:07:31 <johnsom> Ok, we appreciate it and of course all that you have contributed over the years.
20:07:32 <xgerman_> yeah, for sure :-)
20:08:17 <johnsom> Any other announcements today?
20:08:41 <johnsom> #topic Brief progress reports / bugs needing review
20:08:41 <nmagnezi> Please announce only if you have good news..
20:08:50 <johnsom> ^^ yeah, that too
20:09:41 <johnsom> I have been beating my head against the zuul/ansible/devstack wall with a few gate jobs. Sorry for the noise while I fight with those.
20:10:22 <johnsom> I have a patch up for diskimage-builder that fixes building ubuntu-minimal images on bionic nodepool instances.
20:10:41 <johnsom> A change in APT in bionic causes trouble
20:12:04 <johnsom> Other than that I have been working on the IPv6 VIP issue. I have a solution to the DAD failure, but ran into a keepalived segfault issue, which I just identified today. (nice to run gdb again...)
20:12:14 <johnsom> So some progress on that front as well.
20:14:09 <cgoncalves> do you know if the keepalived patch is backportable?
20:15:03 * nmagnezi reconnected again O_O
20:15:29 <johnsom> That I do not know. I saw that it is only in 1.3.0 and newer, but I don't know why it's not in older versions.
20:15:48 <johnsom> We would have to convince the distros to backport it.
20:16:12 <johnsom> I think my workaround can be (needs to be tried) on our side, but it will require a new image be built.
20:16:24 <cgoncalves> "Don't segfault if unable to load ip_vs module"
20:16:30 <cgoncalves> this one?
20:16:49 <johnsom> #link https://github.com/acassen/keepalived/issues/457
20:16:57 <johnsom> #link https://github.com/acassen/keepalived/commit/d52fa0068affc3c6176ba5b5256904d6979fd308
20:17:04 <johnsom> "Don't segfault if modules ip_tables or ip6_tables not loaded"
20:17:26 <xgerman_> just load the module?
20:17:40 <johnsom> Oh, I did get the octavia-lib repo created too.  Just haven't started preparing it yet.
20:17:56 <johnsom> Yeah, I think that will be the workaround. I haven't tested that yet though
20:19:10 <cgoncalves> centos7 has keepalived 1.3.5 which should include that patch
20:19:37 <johnsom> Moving forward, I plan to finish up the IPv6 fix, finish the HM backport to queens, and start work on the octavia-lib repo
20:19:48 <cgoncalves> also this one: https://git.centos.org/raw/rpms/keepalived.git/00db1460fb2e62a5a8cda42012ee6f19a36d7947/SOURCES!bz1508435-no-segfault-ip_vs-load.patch
20:19:58 <johnsom> cgoncalves Ah, nice. Win for centos 7....
20:20:37 <xgerman_> a first…
20:21:06 <johnsom> Bionic has 1.3.9 and should also be fixed.
20:21:43 <johnsom> Any other progress reports?
20:22:18 <xgerman_> https://review.openstack.org/#/c/604226/ is ready as well
20:22:45 <johnsom> nmagnezi BTW, I do plan to grab https://review.openstack.org/#/c/589292/ as the base for the IPv6 fix. If that is still ok with you.
20:22:48 <openstackgerrit> Merged openstack/python-octaviaclient master: Use templates for cover and lower-constraints  https://review.openstack.org/604549
20:23:09 <nmagnezi> johnsom, yup, np.
20:23:21 <cgoncalves> the zombie hunter patch is ready and received approval, although it is failing on functional. it passes locally. thoughts?
20:23:22 <xgerman_> also I am trying to refactor the AAP driver: https://review.openstack.org/#/c/604479/ — hope to finish/babysit that as well
20:23:24 <cgoncalves> https://review.openstack.org/#/c/587505/
20:23:40 <xgerman_> yeah, not sure… keep rebasing until it works?
20:23:47 <johnsom> I also added the API version to the api-ref here: https://review.openstack.org/604911
20:23:49 <johnsom> #link https://review.openstack.org/604911
20:24:13 <nmagnezi> xgerman_, looks like a related test is failing http://logs.openstack.org/05/587505/22/check/openstack-tox-py27/18ad0e2/testr_results.html.gz
20:24:32 <xgerman_> mmh…
20:24:47 <johnsom> Hmm, yep
20:25:03 <xgerman_> yeah, cgoncalves one of us needs to debug then
20:25:27 <johnsom> heads (doing the coin flip for you)
20:25:37 <xgerman_> lol
20:25:44 <nmagnezi> lol
20:25:58 <cgoncalves> ok, if no one has ideas I'll keep looking
20:26:20 <nmagnezi> Or use https://justflipacoin.com/
20:26:21 <nmagnezi> :D
20:26:41 <xgerman_> k - heads was cgoncalves
20:26:45 <johnsom> You can't say the PTL is good for nothing....
20:27:17 <johnsom> I will take a quick look to.  Could be the test is reaching out to the host or being impacted by ordering.
20:28:07 <johnsom> Any other updates?
20:28:39 <johnsom> #topic Talk about VIP security groups
20:28:51 <johnsom> Last week we came down to two options:
20:28:57 <johnsom> 1. Add ACL to the Octavia API to allow source IP restrictions
20:29:04 <johnsom> 2. Move the VIP base port security group ownership to the tenant
20:29:13 <johnsom> Anymore thoughts or comments on this topic?
20:30:19 <johnsom> One person at a time please..... grin
20:30:23 <cgoncalves> I'm in favor of option 1, but I understand folks needing option 2 (+ configurable in .conf)
20:30:32 <colin-> same
20:31:15 <xgerman_> we can do both, can’t we?
20:31:16 <johnsom> Yeah, I lean towards 1 as well giving the pain I have seen from having the VIP even visible in the tenant.
20:31:33 <cgoncalves> if option 2, I'd argue to have SG owned by Octavia as default and a config opt to allow specific tenants to have SG owned by them
20:31:57 <johnsom> Or maybe a flavor option....
20:31:58 <xgerman_> well, we could maybe get that with policy
20:32:01 <colin-> we are integrating tightly with magnum here and the idea of being able to transact with the api for security group needs on VIPs is attractive, fwiw
20:32:06 <cgoncalves> plus while introduce that config opt, deprecated it at the same time as we don't want to carry it for that long
20:32:56 <cgoncalves> *deprecate
20:32:59 <xgerman_> colin-: magnum is free to run as the same tenant as octavia or have admin rights there
20:33:22 <xgerman_> in some of my installs I use the service tenant for ovtavia…
20:34:42 <johnsom> Ok, so what I am hearing is the following:
20:34:59 <johnsom> We would like to implement option 1.
20:35:36 <cgoncalves> ltomasbo, this discussion could be of interest to your team...
20:35:37 <johnsom> We would like to make available, via config and/or flavor that the VIP base port (vrrp port) be owned by the tenant.
20:35:52 <johnsom> Is that correct?
20:35:59 <johnsom> If so I will update the story
20:36:49 <cgoncalves> config so that it could be potentially backportable (reason: security hardening)
20:37:31 <cgoncalves> #link https://review.openstack.org/#/c/602564/
20:37:49 <johnsom> Yeah, I am fine with a config up front, then moving it to a flavor later.
20:37:57 <johnsom> #link https://storyboard.openstack.org/#!/story/2003686
20:38:08 <cgoncalves> I think ltomasbo would be able to continue ^ and add the config opt
20:38:38 <cgoncalves> johnsom, why flavor? why not add ACL (option 1)?
20:38:57 <xgerman_> we can do both
20:39:16 <cgoncalves> ok
20:39:23 <johnsom> Right, I was expecting both.  flavor gives the operator more flexibility over an all-or-none config setting
20:40:21 <johnsom> Ok, I will write it up on the story.
20:41:06 <johnsom> #topic Open Discussion
20:41:13 <johnsom> Any other topics for today?
20:41:47 <cgoncalves> do you think it could make to be backported to stable releases?
20:42:01 <cgoncalves> *made
20:42:18 <johnsom> Not likely given it would be a new config setting or API change
20:42:43 <xgerman_> +1
20:42:57 <xgerman_> we can’t just play fast and loose with API/Config changes
20:43:59 <cgoncalves> I was asking specifically of option 2 with new config. potential reason for backport would be security hardening. we've recently backported a patch to stable releases that added a new config with a good default
20:44:17 * johnsom thinks the stable maintenance role is going to cgoncalves head...  backport it all!  grin
20:44:29 <cgoncalves> I understand if it cannot. I just wanted to clarify so that everyone is aware and understands
20:44:37 <johnsom> Yeah, and they kind of didn't like it
20:44:52 <cgoncalves> I remember that ;-)
20:45:57 <johnsom> I think if someone can make a strong case for it being needed for security reasons, we could try it. But I would want that really called out in the story as the driver for the change.
20:47:24 <johnsom> Any other topics today?
20:47:58 <xgerman_> where is rm_Work?
20:48:15 <rm_work> somewhere
20:48:19 <xgerman_> lol
20:48:54 <colin-> awesome job on the python3 stuff
20:49:21 <johnsom> Yeah, happy to have that done and that we are on top of being able to run on python3
20:50:00 <johnsom> Ok, well, if there aren't other topics today, have a great week folks! I'm back to playing with keepalived
20:50:12 <johnsom> #endmeeting