#openstack-lbaas log

16:02:55 <johnsom> #startmeeting Octavia
16:02:56 <openstack> Meeting started Wed Sep 18 16:02:55 2019 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:02:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:03:00 <openstack> The meeting name has been set to 'octavia'
16:03:05 <cgoncalves> hi
16:03:09 <ataraday_> hi
16:03:10 <ajay33> Hi
16:03:21 <johnsom> I guess our PTL is MIA today. lol
16:03:48 <gthiemonge> hi
16:03:57 <johnsom> #topic Announcements
16:04:07 <johnsom> We are in feature freeze. Please do not merge any feature patches.
16:04:30 <johnsom> Thank you to everyone that helped us get those last few features merged after all of the infra and requirements issues we faced.
16:05:31 <johnsom> If you didn't follow the issues, a few weeks before feature freeze Ubuntu released a kernel that paniced if you had a NAT rule (floating IP) and sent a fragmented packet through it. This caused our tempest jobs to fail with "RETRY_LIMIT".
16:05:42 <johnsom> This was fixed in the -62 kernel release.
16:06:20 <johnsom> Then requirements had bumped configparser to 4.x.x, but the author pulled the package from pypi after the global-requirements update went out.
16:06:29 <johnsom> This also broke our jobs.
16:06:38 <cgoncalves> thank YOU for the hours put troubleshooting it, and syncing with infra and other teams
16:07:02 <johnsom> Just glad we got it fixed in time for feature freeze
16:07:19 <johnsom> RC1 and stable/train branches are next week.
16:07:43 <johnsom> Next week is RC1 week. We should try to have all of our bug fixes in for that.
16:08:08 <johnsom> I will not be available to do the release. rm_work or cgoncalves will need to take point on that.
16:08:22 <johnsom> I can create a stub release patch if you would like.
16:08:56 <cgoncalves> any help is welcome :)
16:09:19 <johnsom> Finally, as I hinted at above. I will not be available for the next two weeks.
16:09:23 <cgoncalves> I will coordinate with our PTL during your absence
16:10:00 <johnsom> Ok, I will put up a stub patch (no commit strings) and mark it WIP. Then send you two the link.
16:10:22 <johnsom> Any other announcements this week?
16:10:57 <johnsom> #topic Brief progress reports / bugs needing review
16:11:26 <johnsom> I have posted patches for the PDF docs Train goal. All of them are in pretty good shape except for the Octavia docs.
16:12:03 <johnsom> Three sections are "missing" from the PDF version. I'm not sure why. I have added it to the "PDF Docs" trouble sheet hoping for some help.
16:12:18 <johnsom> The latex seems to have the content, just the latex->pdf process drops them.
16:12:25 <gthiemonge> FYI I added https://review.opendev.org/#/c/682365/ to the review list
16:12:38 <johnsom> I think the patches are good enough to merge and then we can bug fix from there.
16:12:56 <ataraday_> I would like to ask review for
16:12:58 <ataraday_> #link https://review.opendev.org/#/c/681195/
16:13:16 <johnsom> I have also picked up the IPv6 goal work. It is almost done, just some devstack plugin strangeness to figure out. Hope to have that done today.
16:13:31 <ataraday_> And hit this bug
16:13:32 <ataraday_> #link https://storyboard.openstack.org/#!/story/2006560
16:13:46 <ataraday_> but didn't come with anything on it yet
16:15:33 <johnsom> To finish out my week I may try to improve an error message when the user gives us a pass phrase protected pkcs12 bundle.
16:16:04 <johnsom> We have seen a few folks get confused by that as barbican does not accept a pass phrase for pkcs12 "secrets".
16:16:29 <redrobot> 👀
16:17:17 <colin-> have been continuing to test haproxy2.0 with octavia and rm_work's single-process patch. looking good so far and haven't encountered any major issues now that my amp image has the components i wanted (thanks again johnsom)
16:17:19 <openstackgerrit> Ann Taraday proposed openstack/octavia stable/rocky: Fix base (VRRP) port abandoned on revert  https://review.opendev.org/682836
16:17:25 <johnsom> redrobot Hi. Just mentioning we need to give a better error message when users upload a pkcs12 to barbican that is pass phrase protected.
16:17:58 <johnsom> redrobot Since secrets don't have a pass phrase parameter.... Which, would kind of be pointless.
16:18:31 <cgoncalves> colin-, there's an open issue with the single-process. ataraday_ has a patch for it up for review
16:18:33 <cgoncalves> #link https://review.opendev.org/#/c/681195/
16:19:10 <colin-> ah i hadn't done one with multiple https listeners but glad we found it arleady and thanks to ataraday_
16:20:46 <johnsom> Any other updates today?
16:21:18 <cgoncalves> with my stable liaison hat on, I proposed a handful of backport patches. they have been merging rather quick. thank you all for your reviews!
16:21:30 <johnsom> Please focus on getting the bug fixes merged for the RC1.
16:21:53 <johnsom> We should also strive to get our tempest patches merged. We will want to tag a tempest version at the same time.
16:22:07 <cgoncalves> yep
16:22:28 <johnsom> That bug fix above is a good example of a patch we really want in....
16:22:50 <johnsom> #topic Open Discussion
16:22:57 <johnsom> Other topics for today?
16:23:18 <cgoncalves> I have one
16:23:31 <cgoncalves> I put up for review a patch that enables full MAC security by default
16:23:34 <cgoncalves> #link https://review.opendev.org/#/c/682932/
16:23:36 <johnsom> Go for it
16:23:55 <johnsom> Does that include apparmor or only selinux?
16:24:08 <cgoncalves> thus far we have been setting systems to permissive (RHEL, CentOS, Fedora)
16:24:38 <cgoncalves> only SELinux as that is the only place right now we enable/disable
16:25:11 <johnsom> We should probably make this generic enough to work for either platform
16:25:14 <cgoncalves> we can consider including apparmor, sure
16:25:59 <cgoncalves> I'd like to know if this is something folks are positive about or not
16:26:03 <johnsom> I think our friends at Canonical have the apparmor rules, though we may not have them here.
16:26:28 <cgoncalves> production clouds usually have selinux/apparmor enabled, so we would be testing code closer to such envs
16:26:28 <johnsom> I think it is a great idea.
16:27:35 <cgoncalves> colin-, would you have some thoughts? :)
16:27:45 <cgoncalves> or just don't care
16:28:04 <cgoncalves> (valid response anyway)
16:29:14 <cgoncalves> hmm, ok. if there's any feedback please feel free to share it at a later time here on the channel or Gerrit
16:31:13 <cgoncalves> apparmor is in the package install linux. would someone know what is the default setting (permissive/enforcing)?
16:31:21 <cgoncalves> s/linux/list/
16:31:39 <johnsom> I think by default in DIB it's permissive/audit
16:34:20 <johnsom> Other topics today?
16:35:27 <johnsom> Ok, thanks everyone!
16:35:30 <johnsom> #endmeeting