#openstack-lbaas log

16:00:38 <gthiemonge> #startmeeting Octavia
16:00:38 <opendevmeet> Meeting started Wed Jun  5 16:00:38 2024 UTC and is due to finish in 60 minutes.  The chair is gthiemonge. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:38 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:38 <opendevmeet> The meeting name has been set to 'octavia'
16:00:42 <gthiemonge> o/
16:00:51 <johnsom> o/
16:00:55 <tweining> o/
16:02:43 <gthiemonge> #topic Announcements
16:02:47 <gthiemonge> * 2024.2 Dalmatian Release Schedule
16:03:07 <gthiemonge> nothing special here but I would like to share that I'm going to update the priority review list
16:03:23 <gthiemonge> IMHO it's better to have it now than just before the next milestones
16:03:39 <tweining> true
16:03:57 <gthiemonge> note: we may have a lot of merge conflicts in the existing reviews now that the f-string patch is merged
16:04:31 <johnsom> No "may" about it, there are a lot
16:05:04 <tweining> probably a good opportunity to identify zombie patches
16:05:20 <tweining> ie. those who don't get rebased
16:05:31 <johnsom> And neglected patches, there seem to be a lot of those as well
16:06:02 <gthiemonge> yeah
16:07:58 <opendevreview> Gregory Thiemonge proposed openstack/octavia-tempest-plugin master: Check stability of rocky jobs  https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/921269
16:08:17 <gthiemonge> that's all for my announcements, do you have anything else?
16:08:44 <tweining> no
16:09:20 <johnsom> Nope
16:10:16 <gthiemonge> #topic CI Status
16:10:32 <gthiemonge> rockylinux jobs are failing in octavia-tempest-plugin (they are non-voting)
16:10:43 <gthiemonge> it's under investigation
16:11:25 <johnsom> I have not had a chance to look at the IPv6 only job yet.
16:11:45 <gthiemonge> there are still a few commits stuck on 2023.1 because grenade was failing, I rechecked one of them to see if it passes, then I'll recheck the remaining reviews
16:11:46 <tweining> https://review.opendev.org/c/openstack/octavia/+/920989 https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/921269 for reference, these are the patches about failing rocky9 jobs
16:12:01 <tweining> (and thanks for identifying the issues)
16:13:05 <tweining> re CI, we still need to make adjustments to jobs for 2024.2. I rebased Takashi's patch series before the meeting
16:13:22 <gthiemonge> +1
16:13:23 <tweining> https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/915853
16:13:28 <gthiemonge> thanks
16:13:38 <tweining> https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/915852/3/zuul.d/jobs.yaml should we continue to test unmaintained branches in the CI?
16:14:05 <johnsom> No, some have already started to break due to devstack changes
16:14:43 <tweining> ok, I will propose a new patch that will replace the patch series then. I already started working on it.
16:15:09 <gthiemonge> ack, thank you tweining
16:17:27 <gthiemonge> #topic Brief progress reports / bugs needing review
16:17:55 <tweining> please go first, if you have anything. I have a few things
16:18:08 <gthiemonge> nothing from me ;-)
16:18:22 <johnsom> #link https://review.opendev.org/c/openstack/devstack/+/885468
16:18:33 <johnsom> I.e. anything using focal won't stack now
16:18:53 <johnsom> I am working on the nftables part of the SR-IOV for member ports.
16:18:57 <tweining> good to know
16:19:46 <johnsom> I hit a speed bump yesterday in that I was using the "ingress" hook in nftables for the rules, which simplifies the rules because I could hook a specific interface (i.e. eth1).
16:20:23 <johnsom> The problem is, you can't use conntrack rules here, so you can't enable "established" rules to allow return traffic from calls out.
16:21:14 <tweining> that SRIOV stuff only works with nftables, right?
16:21:32 <johnsom> So, I need to move everything to "input", and interface handling, and figure out the best way to structure these rules. The tricky part is the member interface add/remove is async so, it's harder to build a "whole" rule set for each plug/unplug
16:22:08 <johnsom> Yes, that is a choice I made. Move to only support nftables, as most distros are doing the same
16:22:55 <tweining> or, in other words, it would break without nftables. So, wouldn't that break rocky9 jobs then if we disable nftables there?
16:23:38 <johnsom> Yes, the image builder now requires nftables
16:24:00 <gthiemonge> (that's another problem but we need to fix nftables in rocky9 if nftables is the issue)
16:24:59 <johnsom> Rocky 9 should have nftables as centos 9 did
16:26:47 <johnsom> If you think it has an nftables issue and want me to take a look, send me the build link
16:29:01 <tweining> https://zuul.opendev.org/t/openstack/build/25eb991b4e3c4f1995cd858393d95e51 for instance
16:29:42 <tweining> I guess we can move on
16:29:57 <tweining> https://review.opendev.org/c/openstack/octavia/+/919846 Fix cipher configuration for TLSv1.3
16:30:27 <tweining> that patch is now complete. I tested it and it covers now both frontend and backend encryption
16:30:55 <tweining> I also added a comment in the bugreport that describes my steps for verifying the fix.
16:31:23 <QG> Ah cool, thanks tweining
16:31:27 <johnsom> Cool, thanks for working on that
16:32:09 <tweining> I didn't do a lot of programming in Python in the last few months. That's why I really enjoyed writing some Python code again for the TLS cipher config fix.
16:32:30 <tweining> The code does quite a lot of things considering that it's just very few lines. I think in most other programming languages the same change would require a lot more code that would probably be a lot less readable.
16:32:52 <tweining> enough rambling. please review. :)
16:33:22 <tweining> https://review.opendev.org/c/openstack/octavia/+/921356 Replace use of deprecated cert.not_valid_after. I found this deprecation warning during testing with devstack. I didn't do any testing of this, but it looks like it shouldn't break anything.
16:34:23 <tweining> https://review.opendev.org/q/topic:%22mypy%22+repo:openstack/octavia last but not least please don't forget the typing patches
16:35:08 <gthiemonge> ack
16:36:56 <gthiemonge> #topic Open Discussion
16:38:19 <tweining> nothing else from me
16:39:14 <johnsom> I don't think I have anything else either
16:39:57 <gthiemonge> ok!
16:40:00 <johnsom> I am pretty sure that rocky job is failing for reasons other than nftables. It can't reach the amp, which doesn't use nftables, it relies on security groups.
16:40:37 <johnsom> unless rocky has some "default" firewall setup different than the others
16:40:46 <gthiemonge> yeah it's really weird, but the only recent change in the amp is that we have enabled nftables by default
16:41:04 <gthiemonge> and based on my experience, rockylinux has some issues when using nftables
16:41:07 <johnsom> That is only used inside the netns for lvs right?
16:41:14 <johnsom> Unless you have sr-iov enabled
16:41:40 <gthiemonge> it may have default rules for the other interfaces
16:41:57 <QG> I have a quick question about ports quota and loadbalancer creation
16:43:12 <QG> we may have spot a bug, when you create a loadbalancer and you only have enough quota to create the vrrp port but not more, Octavia is returning a 500
16:43:50 <QG> Does this sound familiar? i will create a bug in launchpad
16:44:00 <gthiemonge> the octavia-api only checks that it can create a VIP port
16:44:08 <gthiemonge> 500 is weird there
16:44:10 <johnsom> Hmm, not normal.
16:44:24 <gthiemonge> yeah please create a launchpad
16:44:27 <johnsom> We should not be returning a 500 to the user. Please open a bug
16:45:15 <gthiemonge> QG: yoy don't have enough quota in the user's project or in the project that runs Octavia?
16:45:37 <QG> In the user's project
16:46:08 <gthiemonge> interesting, but yeah 500 is a bug
16:46:12 <johnsom> Oh, please review: https://review.opendev.org/c/openstack/octavia/+/919974 it is a backport candidate
16:47:13 <gthiemonge> ack
16:47:25 <QG> ok and i think it let the vrrp created without deleting it
16:49:01 <gthiemonge> there's known issue with leaked ports on errors: https://bugs.launchpad.net/octavia/+bug/2015320
16:49:27 <QG> ok thanks !
16:50:38 <gthiemonge> any other topics for today?
16:50:56 <QG> Ah, and we'll try to get back to Octavia's topic with the deployment of amphoras on several AZs. ( https://review.opendev.org/c/openstack/octavia/+/558962 )
16:51:58 <gthiemonge> wow
16:53:05 <gthiemonge> don't hesitate if you need help
16:53:41 <gthiemonge> ok folks!
16:53:49 <gthiemonge> thank you for the discussions
16:53:52 <gthiemonge> have a good week
16:53:56 <gthiemonge> #endmeeting