#openstack-meeting-4 log

17:00:04 <cathy__> #startmeeting service_chaining
17:00:04 <openstack> Meeting started Thu Jul 14 17:00:04 2016 UTC and is due to finish in 60 minutes.  The chair is cathy__. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:08 <openstack> The meeting name has been set to 'service_chaining'
17:00:14 <cathy__> hi everyone
17:00:35 <igordcard> hi
17:01:21 <pcarver> hi
17:01:37 <fsunaval> hi
17:02:01 <doonhammer> hi all
17:02:10 <cathy__> Ok, let's start
17:02:12 <scsnow_> hi
17:02:19 <cathy__> #topic Move to using OpenStack Client (OSC)
17:02:32 <LouisF> hi
17:02:41 <mohankumar__> Hi
17:02:46 <cathy__> mohankumar__: I know you are working on this. how is it going?
17:03:04 <yamahata> hello
17:03:33 <mohankumar__> Working on code. Will submit WIP patch soon
17:04:12 <cathy__> mohankumar__: cool, thanks.
17:04:34 <cathy__> #topic Remove the agent_opts for encap which comes from the config
17:05:41 <cathy__> georgewang: This is an action item from last week's meeting. I have created a bug for this.
17:06:27 <LouisF> https://bugs.launchpad.net/networking-sfc/+bug/1602890
17:06:27 <openstack> Launchpad bug 1602890 in networking-sfc "remove the agent_opts for encap which comes from the config" [High,In progress]
17:06:54 <scsnow_> it's trivial fix, I can take it
17:07:08 <cathy__> scsnow_: cool, thanks.
17:07:38 <cathy__> #topic Add port-pair-group param
17:08:06 <s3wong> hello
17:08:10 <cathy__> georgewang: I know you are working on this. When do you think you can upload the patch?
17:08:23 <cathy__> s3wong: hi, you are late:-)
17:08:34 <s3wong> cathy__: yes... late... sorry
17:09:34 <georgewang> i think it should be one or two weeks later.
17:09:44 <cathy__> georgewang: OK, thanks
17:09:50 <cathy__> #topic Tempest Test suite
17:10:15 <cathy__> georgewang: I know you are working on this. How is this going?
17:11:19 <georgewang> I have almost written both api and scenario tests in my local repo. Will make it cover more scenarios
17:11:36 <cathy__> georgewang: OK, thanks.
17:11:42 <cathy__> #topic Rename openvswitch-agent to avoid naming conflict with neutron
17:12:18 <cathy__> #link https://review.openstack.org/334398
17:13:42 <fsunaval> the issue is that SfcOvsAgent is a child class of neutronovsagent
17:13:51 <cathy__> fsunaval: would you like to describe the issue if we rename our OVS agent to see whether others have some good idea how to solve it?
17:14:33 <fsunaval> we currently create /usr/local/bin/neutron-openvswitch-agent
17:15:14 <fsunaval> however, the redhat package management system has issues with that. they want neutron-openvswitch-agent (for pure neutron) and something else for sfc (say neutron-openvswitch-sfc-agent)
17:15:38 <fsunaval> there does'nt seem to be an easy fix to this for now...
17:16:28 <fsunaval> unless we decouple neutronovsagent  from SfcOvsAgent and then use the L2 flow extension manager so that SFC can program into the bridges directly..
17:17:02 <fsunaval> open to any / all other ideas.
17:17:09 <cathy__> s3wong: pcarver yamahata any good idea how to solve this?
17:17:37 <pcarver> sorry, got pulled away. Looking back at IRC now.
17:17:46 <cathy__> mohankumar__: scsnow_ igordcard doonhammer ?
17:18:44 <doonhammer> cathy: sorry no ideas here
17:19:33 <pcarver> cathy: Sorry, no obvious idea from me either
17:19:42 <scsnow_> how this resolved in another neutron projects?
17:19:52 <scsnow_> I think many projects have their own agents
17:20:00 <fsunaval> lbaas and fwaas have their own agents.
17:20:55 <fsunaval> so, in a way, the redhat folks are right. sfc should have its own agent instead of going as the neutron agent with sfc changes.
17:21:36 <fsunaval> anyway, I can continue looking into it ... if anyone has ideas please send email.
17:21:51 <cathy__> scsnow_: fsunaval If SFC has its own agent, does it mean SFC agent needs to duplicate codes of some of the Neutron agent?
17:22:18 <fsunaval> there will be some code duplication but should'nt be much...
17:23:30 <cathy__> fsunaval: If I remember correctly, originally SFC has its own agent and there are a lot of code duplication, we got comments on that and thus changed it to current way
17:23:47 <scsnow_> fsunaval, so I want to have lbaas and fwaas I have to run 3 different agents, right?
17:24:09 <fsunaval> scsnow_: yes...
17:24:46 <fsunaval> cathy__: hopefully with the l2 flow extension manager there should be much less ...
17:25:20 <cathy__> fsunaval: So you mean we will write our own agent which only programs SFC specific tables into the bridge while all others are done by Neutron agent, right?
17:25:48 <fsunaval> cathy__: yes, that is the idea..
17:26:34 <cathy__> fsunaval: rewrite this will be a lot of work. Thanks for looking into this!
17:26:59 <fsunaval> cathy__: I will give update next week on what I find...
17:27:38 <cathy__> fsunaval: thanks.
17:28:03 <cathy__> #topic NSH encap work
17:28:12 <cathy__> igordcard: how is it going?
17:28:34 <igordcard> almost starting, the SFP management work is taking a long time :(
17:28:43 <cathy__> ok
17:28:51 <igordcard> port-chain-create works, but I'm still working on the rest
17:29:18 <igordcard> NSH support will be much quicker to implement than tthis refactoring
17:29:54 <cathy__> igordcard: I just like to make sure on the data path, we will keep the SFF Proxy functionality to support Service Function that does not understand the NSH encap. Is this what you have in mind?
17:30:10 <igordcard> cathy__: yes
17:31:14 <igordcard> cathy__: if a port-pair doesn't specify correlation nsh, it will automatically proxy - is this okay?
17:31:42 <cathy__> igordcard: cool. thanks. Also the new OVS patch for NSH has been completed and is being reviewed in OVS. You can incorporate with that new patch in your testing since that patch is what is being pushed into OVS
17:31:59 <cathy__> igordcard: No
17:32:09 <cathy__> igordcard: what we mean by Proxy is
17:33:10 <cathy__> igordcard: The API specifies an encap mechanism "NSH" or "MPLS" or other, but the switch has to strip off the SFC encap header before forwarding the pkg to the SF.
17:33:44 <cathy__> igordcard: We can not assume that all SF is NSH SFC header aware.
17:34:17 <igordcard> cathy__: so we can use port-pair's service_function_parameters to decide whether to proxy a specific SF right?
17:34:22 <cathy__> In the other direction, when the switch receives the packet from the SF, it needs to do reclassification and adds back the NSH header.
17:34:44 <doonhammer> lgordcard: +1 definitely not - especially if they are hardware based
17:34:47 <cathy__> We already implemented this Proxy functionality for mpls encap.
17:34:55 <cathy__> igordcard: yes
17:35:11 <cathy__> igordcard: that is why there is a SF parameter in the API
17:35:46 <igordcard> doonhammer: +1 or definitely not?
17:36:32 <doonhammer> agree that SF cannot understand all the various encap and transports
17:36:48 <doonhammer> becomes a support nightmare
17:36:58 <igordcard> cathy__: okay my plan was to use that sf parameters to decide whether to proxy or not a specific SF
17:37:16 <cathy__> igordcard: good
17:37:38 <igordcard> cathy__: doonhammer: alright then
17:38:02 <cathy__> doonhammer: Yes, I agree that it will take a long time to have all SF become NSH aware. So SF Proxy functionality will be there for a long time:-0
17:39:46 <doonhammer> cathy: It is not just NSH but it is also the NSH encap transport - I do not see any convergence on that
17:40:10 <igordcard> cathy__: yes, but at the same time networking-sfc can help accelerate NSH support/development in SFs by making it easy to deploy the chains
17:40:48 <cathy__> doonhammer: never mind about the NSH transport, since the OVS tunnel bridge will always strip that off
17:41:17 <cathy__> doonhammer: I assume you are talking about the VXLAN or GRE or other transport for NSH?
17:41:29 <doonhammer> cathy: yes
17:42:23 <cathy__> igordcard: yes, but that depends on the SF appliance companies. Usually it is not easy to have them change. I talked to F5 long time back and got that feeling.
17:43:29 <cathy__> doonhammer: If there is a correlation mechanism between the OVS and the SF for the chain-ID, then the OVS does not need to do reclassification which is expensive.
17:43:57 <doonhammer> cathy: part of the issue is the ASICs we all use in the hardware platforms - more encap means more bits
17:45:16 <doonhammer> cathy: if the classifier is the OVS switch it is easy - if there deeper classification everyone has to agree on the type of classification and taxonomy
17:45:35 <cathy__> doonhammer: do you think SF can create multiple virtual interfaces with each virtual interface mapping to a chain? The virtual interface is not a real interface, but is just for identify different chain packets coming to the SF?
17:46:26 <doonhammer> cathy: yes that is what we do today
17:46:50 <doonhammer> cathy: we do that for multi-tenacy
17:47:03 <cathy__> doonhammer: I am referring to how we can simply the SF Proxy mechanism. Instead of reclassification, if there is a correlation mechanism between the OVS and the SF for the chains, then reclassification is not needed
17:47:39 <cathy__> doonhammer: cool !
17:47:53 <cathy__> doonhammer: yes, I remember you mentioned this in the OVS alias
17:48:18 <doonhammer> cathy: I owe a response to that thread
17:49:05 <cathy__> doonhammer: So if all these chains belong to the same tenant, there is no issue. But if these chains belong to different tenants, does the VM allow multiple interfaces associated with different tenants?
17:49:25 <cathy__> AFAIK, a VM can only associate with one tenant? How did you solve this?
17:49:30 <doonhammer> cathy: the issue with the classification is if one of the SF modifies the flows e.g. flow compression or video encoding etc.
17:50:00 <cathy__> doonhammer: yes, exactly
17:50:39 <cathy__> doonhammer: reclassification has multiple downsides
17:51:29 <cathy__> doonhammer: that is the Nova restriction for VM.
17:51:30 <doonhammer> cathy: a vm can have multiple tenants each with a pair of virtual interfaces , a port-pair. Then each tenant gets a unique port-pair but there is a limit to the number of interfaces - but it is fungible as it is just software
17:52:27 <cathy__> doonhammer: interesting. AFAIK, Farhad did a test and found out that a VM can only take one interface. Farhad?
17:52:57 <cathy__> I mean a VM can take multiple interfaces but these interfaces need to belong to one tenant
17:53:12 <fsunaval> cathy__: VM can take any number of interfaces from the same tenant...
17:53:38 <doonhammer> ah so might be a Nova limitation - I need to look at that
17:53:40 <fsunaval> nova does not allow a VM to attach a neutron-port created in another tenant.
17:53:56 <fsunaval> doonhammer: is your multi-tenant FW supported in Openstack or NSX ?
17:54:02 <doonhammer> NSX
17:54:10 <fsunaval> yes... not in Openstack.
17:54:30 <cathy__> doonhammer: I see. So your VM is not OpenStack Nova created
17:54:56 <cathy__> doonhammer: could you try a VM in OpenStack to see if it works?
17:55:05 <doonhammer> made the bad assumption it would work in OS once we had OVN-SFC working :-(
17:55:27 <doonhammer> cathy: now on my list of todos
17:55:45 <cathy__> doonhammer: great, Thanks! We really like to hear back from you!
17:56:30 <cathy__> Cool. we are running out of time.
17:56:40 <doonhammer> cathy: yes want to clean up the multi-tenant issue with regXboi too
17:56:56 <cathy__> if any of you have any topic you would like to discuss, feel free to post it on the wiki meeting page.
17:57:18 <cathy__> doonhammer: sure.
17:57:23 <cathy__> doonhammer: thanks!
17:57:58 <cathy__> Ok, that's all for today's meeting. Will talk to you next week.
17:58:02 <scsnow_> bye
17:58:03 <LouisF> bye
17:58:04 <cathy__> bye now
17:58:07 <doonhammer> bye
17:58:09 <mohankumar__> Bye
17:58:10 <fsunaval> bye all!!!
17:58:30 <cathy__> #endmeeting