Friday, 2021-03-19

« Thursday, 2021-03-18 Index Saturday, 2021-03-20 »
*** jmasud has quit IRC00:00
*** jmasud has joined #openstack-meeting00:01
*** mlavalle has quit IRC00:03
*** jmasud has joined #openstack-meeting00:04
*** vishalmanchanda has quit IRC00:09
*** tosky has quit IRC00:14
*** jmasud has quit IRC00:15
*** jamesdenton has quit IRC01:34
*** jamesden_ has joined #openstack-meeting01:35
*** lbragstad has quit IRC02:06
*** jmasud has joined #openstack-meeting03:00
*** rcernin has quit IRC03:16
*** psachin has joined #openstack-meeting03:32
*** evrardjp has quit IRC03:33
*** evrardjp has joined #openstack-meeting03:33
*** ianychoi has quit IRC03:37
*** rcernin has joined #openstack-meeting03:37
*** rcernin has quit IRC03:39
*** rcernin has joined #openstack-meeting03:39
*** jmasud has quit IRC03:56
*** jmasud has joined #openstack-meeting04:00
*** vishalmanchanda has joined #openstack-meeting04:16
*** jamesden_ has quit IRC04:24
*** jamesdenton has joined #openstack-meeting04:25
*** gyee has quit IRC04:44
*** macz_ has joined #openstack-meeting04:45
*** jmasud has quit IRC04:48
*** macz_ has quit IRC04:50
*** jmasud has joined #openstack-meeting04:53
*** jamesdenton has quit IRC05:09
*** jamesdenton has joined #openstack-meeting05:11
*** xinranwang has joined #openstack-meeting05:41
*** jmasud has quit IRC05:53
*** jmasud has joined #openstack-meeting05:58
*** Luzi has joined #openstack-meeting06:04
*** e0ne has joined #openstack-meeting06:32
*** lpetrut has joined #openstack-meeting06:42
*** jmasud has quit IRC07:00
*** udesale has joined #openstack-meeting07:09
*** macz_ has joined #openstack-meeting07:11
*** e0ne has quit IRC07:13
*** macz_ has quit IRC07:16
*** dklyle has quit IRC07:35
*** rcernin has quit IRC07:43
*** xinranwang has quit IRC07:51
*** macz_ has joined #openstack-meeting08:11
*** macz_ has quit IRC08:16
*** udesale_ has joined #openstack-meeting08:22
*** udesale has quit IRC08:24
*** rpittau|afk is now known as rpittau08:24
*** rcernin has joined #openstack-meeting08:28
*** rcernin has quit IRC08:35
*** udesale__ has joined #openstack-meeting08:40
*** udesale_ has quit IRC08:43
*** tosky has joined #openstack-meeting08:54
*** rcernin has joined #openstack-meeting09:10
*** rcernin has quit IRC09:10
*** rcernin has joined #openstack-meeting09:10
*** macz_ has joined #openstack-meeting09:14
*** macz_ has quit IRC09:19
*** rcernin has quit IRC09:20
*** ociuhandu has joined #openstack-meeting09:26
*** rcernin has joined #openstack-meeting09:29
*** udesale_ has joined #openstack-meeting09:31
*** udesale__ has quit IRC09:33
*** macz_ has joined #openstack-meeting09:35
*** macz_ has quit IRC09:39
*** dmacpher_ has joined #openstack-meeting09:43
*** dmacpher has quit IRC09:45
*** e0ne has joined #openstack-meeting09:47
*** ociuhandu has quit IRC09:47
*** ociuhandu has joined #openstack-meeting09:51
*** rcernin has quit IRC10:01
*** ricolin has quit IRC10:01
*** rcernin has joined #openstack-meeting10:04
*** rcernin has quit IRC10:24
*** e0ne has quit IRC10:35
*** e0ne has joined #openstack-meeting10:36
*** ociuhandu has quit IRC10:44
*** rcernin has joined #openstack-meeting10:48
*** ociuhandu has joined #openstack-meeting10:50
*** ociuhandu has quit IRC11:25
*** priteau has joined #openstack-meeting11:38
*** rcernin has quit IRC11:39
*** e0ne has quit IRC11:40
*** rcernin has joined #openstack-meeting11:41
*** e0ne has joined #openstack-meeting11:42
*** rcernin has quit IRC11:46
*** rcernin has joined #openstack-meeting12:04
*** rcernin has quit IRC12:09
*** lbragstad has joined #openstack-meeting12:22
*** zbr is now known as zbr|rover12:30
*** rcernin has joined #openstack-meeting12:41
*** macz_ has joined #openstack-meeting12:43
*** rcernin has quit IRC12:46
*** macz_ has quit IRC12:48
*** e0ne has quit IRC12:55
*** rcernin has joined #openstack-meeting13:14
*** macz_ has joined #openstack-meeting13:25
*** udesale__ has joined #openstack-meeting13:25
*** lbragstad_ has joined #openstack-meeting13:25
*** macz_ has quit IRC13:29
*** lbragstad has quit IRC13:33
*** udesale_ has quit IRC13:33
*** irclogbot_2 has quit IRC13:33
*** irclogbot_0 has joined #openstack-meeting13:36
*** jamesdenton has quit IRC13:36
*** jamesdenton has joined #openstack-meeting13:39
*** mlavalle has joined #openstack-meeting13:58
*** rosmaita has left #openstack-meeting14:00
slaweq#startmeeting neutron_drivers14:00
openstackMeeting started Fri Mar 19 14:00:54 2021 UTC and is due to finish in 60 minutes.  The chair is slaweq. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
*** openstack changes topic to " (Meeting topic: neutron_drivers)"14:00
openstackThe meeting name has been set to 'neutron_drivers'14:00
mlavalleo/14:01
johnsomo/14:01
slaweqo/14:01
*** dmacpher_ has quit IRC14:01
haleybhi14:01
amotokihi14:01
johnsomIt has been a while since I attended a drivers meeting.14:01
mlavallewe've missed you14:01
slaweqjohnsom: welcome (back) :)14:01
*** dmacpher has joined #openstack-meeting14:01
johnsomlol14:01
johnsomI thought I should join for the designate related RFE topics.14:02
*** e0ne has joined #openstack-meeting14:02
slaweqjohnsom: that's great, thx for joining14:03
*** Carlotronics has joined #openstack-meeting14:03
Carlotronicshi14:03
*** lajoskatona has joined #openstack-meeting14:03
lajoskatonaHi14:03
slaweq#topic RFEs14:04
*** openstack changes topic to "RFEs (Meeting topic: neutron_drivers)"14:04
*** e0ne has quit IRC14:04
slaweqmaybe we can wait few more minutes for amotoki yamamoto and njohnston14:04
slaweqbefore we will start14:04
mlavalleamotoki is here14:05
amotokihi14:05
slaweqtrue14:05
slaweqI somehow missed You14:05
slaweqsorry amotoki14:05
amotokiI already said here :)14:05
amotokinp14:05
slaweqso I think we can start14:05
slaweqrfe to discuss today14:05
slaweqhttps://bugs.launchpad.net/neutron/+bug/190455914:06
openstackLaunchpad bug 1904559 in neutron "Designate driver: allow_reverse_dns_lookup doesn't works if dns_domain zone wasn't created" [Wishlist,New]14:06
slaweqthx johnsom for comments there14:06
johnsomMy concern here is the current Designate integration weighs heavily on the forward zone for authorization. Decoupling that would mean we would likely want to do a significant rewrite.14:07
johnsomCurrent PTR integration for neutron manages the PTR zones using the service account defined in neutron.conf [designate]14:08
*** ociuhandu has joined #openstack-meeting14:10
mlavallewhat would be the outline of a new way to integrate with Designate?14:11
slaweqso IIUC that rfe would require rewrite a lot of the neutron's part of dns integration, right?14:11
slaweqbut it don't require significant changes on designate side? is that correct?14:12
*** dmacpher has quit IRC14:12
johnsomWell, to avoid a case where anyone could create a port that adds a PTR record for any IP (valid)/domain, we would need to switch to validating that the user project creating the port has permission to create the PTR record in the zone in designate.14:12
johnsomslaweq Correct.14:12
*** dmacpher has joined #openstack-meeting14:13
johnsomTo me, this seems to complicate the integration for the benefit of automating one PTR create call direct to designate for this edge case.14:13
*** ociuhandu has quit IRC14:13
*** ociuhandu has joined #openstack-meeting14:14
johnsommlavalle At least that is one proposal I came up with. There may be other approaches14:14
slaweqso based on Your comment I think that maybe we should reject that RFE14:16
*** e0ne has joined #openstack-meeting14:16
slaweqas it seems that effort and potential risks are too big according to the use case14:16
mlavallemhhhh14:16
*** e0ne has quit IRC14:16
mlavallethe integration follows and extension and driver approach14:17
johnsomIt is certainly more involved than the proposed patch that decouples the forward zone.14:17
mlavalleif we can somehow isolate the new approach in a separate driver and the submitter is willing to do the work14:18
johnsomFrom a security perspective, PTR records are used to stop spam, some involved TLS certificate validation, etc.14:18
mlavallethat way we preserve and don't put at risk what we have and let this use case go ahead14:19
johnsomSure, an alternate driver is an option.14:19
slaweqmlavalle: but if that would be separate driver, it don't need to be in neutron tree, right?14:19
mlavallewhy not?14:19
mlavalleI wouldn't mind it to be in our tree14:20
mlavallejust isolated14:20
slaweqok14:20
mlavalleself contained is a better way to put it14:20
johnsomIt could also be a setting that changes the PTR authentication model.14:20
johnsomAnd lots of docs... lol14:21
mlavalleso we could conditionally approve this RFE and make it subject to a spec14:21
mlavallesee if we can spec it out14:21
johnsom+1 for a spec14:21
slaweq+!14:21
slaweq+114:21
mlavalleand yes, as the wisemnan of Oregon said above, lots of docs14:21
johnsomgrin14:22
amotokiI am okay for a spec (I am in a way to understand this)14:22
slaweqso I will mark rfe as approved as a concept and we will continue discussion about details in the spec's review14:22
slaweqok for You?14:22
johnsom+114:22
mlavalle+114:23
amotoki+114:23
haleyb+114:23
slaweqok, that's done14:23
slaweqthx14:23
*** ociuhandu has quit IRC14:23
slaweqas we have Carlotronics here maybe we can talk als about second designate related rfe14:23
slaweqhttps://bugs.launchpad.net/neutron/+bug/191842414:23
openstackLaunchpad bug 1918424 in neutron "[RFE] RFC 2317 support in Neutron with designate provider" [Wishlist,New]14:23
slaweqwhere johnsom asked some questions recently14:24
johnsomThis one I feel like I need more information about the use case.14:24
*** Carlotronics has quit IRC14:25
johnsomAs I mentioned above, the current Designate integration model is for PTR records to be "owned" by neutron. It abstracts the PTR zones completely and automatically creates the parent zone for an IP address if it doesn't exist today. This allows any IP to be properly handled without the RFC2317 strategy.14:26
*** viks____ has joined #openstack-meeting14:26
*** Carlotronics has joined #openstack-meeting14:26
slaweqCarlotronics: did You saw johnsom's comments about Your RFE?14:28
slaweqI think You were disconnected for some time14:29
*** ociuhandu has joined #openstack-meeting14:29
Carlotronicsslaweq Yes I saw it, but I do not understand but I don't understand the relation; the problem exposed in the RFE is precisely that we can't currently have PTR on non octet-boundary zones14:30
Carlotronicsmy internet connection is not very stable14:31
johnsomCarlotronics How would you end up with a non-octet-boundary zone with the current designate integration?14:32
CarlotronicsI would let Neutron create it by specifying ipv4_ptr_zone and ipv4_ptr_record_template as stated in the rfe14:33
johnsomThe integration currently creates any required parent zone, sized to the prefix defined in the neutron.conf. You may end up with zones in Designate that a bigger than the subnet, but they are shared by the integration plugin.14:33
*** ociuhandu has quit IRC14:34
johnsomI understand the proposal, I'm just not understanding the need or use case for this.14:34
Carlotronicsour use case is that our provider delegates us a /25, thus we cannot use the whole rDNS zone for it because it is already manager by our provider14:35
johnsomIs this really about slicing up reverse zones, some are managed by neutron/Designate and some that are outside the cloud?14:36
Carlotronicsjohnsom yes, and as far as I understand (but I could be wrong, I don't have much experience) rfc2317 is all about that14:38
johnsomOk, would you mind adding this use case example to the RFE? It was clear the proposed solution, but not the use case behind it.14:38
Carlotronicsjohnsom sure, I'll do it14:39
johnsomCarlotronics Yes. What mechanism would put the 0-25 records in the parent provider zone?14:39
johnsomThat would not be automated under this proposal right? There would be a required prerequisite step or two.14:40
CarlotronicsI hadn't thought about it. I'd be inclined to say it fills the area by hand, but maybe @Mareo could help me with that14:40
*** ociuhandu has joined #openstack-meeting14:40
Carlotronicsjohnsom no, this proposal would no be of any help on provider side (for setting CNAME and NS to 0-25 zone)14:41
johnsomOk, yeah. So I think we should discuss those steps.14:41
slaweqjohnsom: do You think we should have spec for that one too?14:42
johnsomI hate to say it, but I would lean towards a spec on this one as well, just to capture the required workflow such that we can document it clearly.14:42
johnsomslaweq You are a mind reader14:42
slaweq:)14:42
slaweqso I propose that we can also approve the rfe and next step will be spec with details to review14:43
slaweqok?14:43
johnsomOtherwise we could have zones that don't work if the prerequisite steps were not completed.14:43
johnsom+1 from me14:43
amotokiyeah, +1 for a spec to clarify the whole picture including prerequisites. Prerequisites and assumptions look important part in this RFE.14:44
*** ociuhandu has quit IRC14:44
Mareojohnsom, I don't understand, if you are able to put records in the parent zone, you do not need this mechanism at all14:45
Mareothis RFE is targeted specifically for the case when the parent zone is managed by another entity than the one managing the openstack cluster14:46
MareoFor instance wikimedia had the same issue : https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/DNS/Designate#dns-floating-ip-updater14:47
johnsomMareo So, as the RFE is written,  the parent reverse zone, 2.0.192.in-addr.arpa. would require a NS record and a CNAME record for every potential IP in the /25 be pre-created. Then the integration would manage the 0-25 zone and map the IP to the xyz.example.com. reverse record.14:47
Mareoyes, this is exactly what rfc 2317 is about14:48
johnsomMareo So, all of those CNAME records must be created in the parent zone my some means.14:48
rissonyes but that's the provider's job, it has nothing to do with designate/neutron14:49
rissonhi btw!14:49
johnsomMareo This is the prerequisite requirements I am commenting need to be captured and documented since the integration will not (per the current proposal) automate that.14:49
rissonit's virtually impossible to automate it14:50
rissonbut yes, it indeed requires some documentation14:50
MareoI agree with the need to have some documentation14:50
johnsomLots of folks have interesting duct tape and bubble gum solutions to things... grin14:50
slaweqso do we really need a spec before implementation? or simply documentation update together with implementation patch would be enough?14:51
johnsomIn my opinion, the RFE does not clearly define the "included in integration" and "prerequisites"/workflow. This is what we can clarify in the spec such that all that is needed gets documented.14:52
slaweqI'm fine with that14:53
slaweqso are You all ok with my earlier proposal - approve the rfe and to have spec as next step?14:53
mlavalle+114:53
amotoki+1 from me14:54
amotokiwe need the whole picture in a spec to clarify what we need.14:54
johnsom+1 I am in favor of a spec (doesn't have to be the full docs obviously)14:54
haleyb+114:54
johnsomThis can also solidify the changes needed on the Designate side to accommodate the hyphen, etc.14:55
slaweqok, thx14:55
*** Luzi has quit IRC14:55
slaweqso we have an agreement14:55
slaweqCarlotronics: can You write spec for that now?14:55
johnsomCarlontronics I will help with the spec as well.14:55
slaweqwe are almost on top of the hour14:56
slaweqso I just wanted to quickly ask You about checking https://review.opendev.org/c/openstack/neutron/+/78097814:57
Carlotronicsslaweq yes, I will work on it. thanks johnsom for the offer14:57
*** imcsk8 has quit IRC14:57
slaweqCarlotronics: thx14:57
slaweqwe talked about that patch on Tuesday's meeting already14:57
slaweqbut I'm not sure if we really should relax those new policies14:57
amotokislaweq: I will add my reply soon. I am catching up the discussion on project with system-scoped token.14:57
*** ociuhandu has joined #openstack-meeting14:57
slaweqas they are "opt-in" for users, so by default old behaviour will still be the same as was until now14:57
slaweqamotoki: thx14:58
slaweqbtw. I want to add release not to the wallaby release notes about those new secure rbac policies14:58
*** imcsk8 has joined #openstack-meeting14:58
slaweqbut I will highlight it as experimental feature for now14:58
slaweqI hope You are fine with it14:58
*** macz_ has joined #openstack-meeting14:59
slaweqand last think from me14:59
slaweqplease add patches from list14:59
slaweqhttps://review.opendev.org/q/topic:%2522secure-rbac%2522+status:open+project:openstack/neutron14:59
slaweqto Your review list :)14:59
slaweqthx in advance14:59
slaweqand that's all from me for today14:59
slaweqthx for attending the meeting14:59
slaweqhave a great weekend15:00
slaweqo/15:00
slaweq#endmeeting15:00
lajoskatonao/15:00
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"15:00
openstackMeeting ended Fri Mar 19 15:00:09 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/neutron_drivers/2021/neutron_drivers.2021-03-19-14.00.html15:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/neutron_drivers/2021/neutron_drivers.2021-03-19-14.00.txt15:00
openstackLog:            http://eavesdrop.openstack.org/meetings/neutron_drivers/2021/neutron_drivers.2021-03-19-14.00.log.html15:00
amotokihave a great weekend o/15:00
Carlotronicso/15:00
mlavalleo/15:00
*** lajoskatona has left #openstack-meeting15:00
*** rcernin has quit IRC15:05
*** ociuhandu has quit IRC15:07
*** rpittau is now known as rpittau|afk15:08
*** lbragstad_ is now known as lbragstad15:11
*** ociuhandu has joined #openstack-meeting15:12
*** ociuhandu has quit IRC15:18
*** ociuhandu has joined #openstack-meeting15:28
*** Carlotronics has quit IRC15:34
*** dklyle has joined #openstack-meeting15:35
*** Carlotronics has joined #openstack-meeting15:36
*** ociuhandu has quit IRC15:38
*** ociuhandu has joined #openstack-meeting15:45
*** psachin has quit IRC15:59
*** Carlotronics has quit IRC15:59
*** Carlotronics has joined #openstack-meeting16:01
*** ociuhandu has quit IRC16:05
*** Carlotronics has quit IRC16:06
*** Carlotronics has joined #openstack-meeting16:10
*** jmasud has joined #openstack-meeting16:12
*** Carlotronics has quit IRC16:16
*** Carlotronics has joined #openstack-meeting16:17
*** udesale_ has joined #openstack-meeting16:22
*** udesale__ has quit IRC16:24
*** ociuhandu has joined #openstack-meeting16:36
*** ociuhandu has quit IRC16:45
*** ociuhandu has joined #openstack-meeting16:47
*** lpetrut has quit IRC16:47
*** ociuhandu has quit IRC16:53
*** ociuhandu has joined #openstack-meeting16:54
*** ociuhandu has quit IRC16:58
*** ociuhandu has joined #openstack-meeting17:12
*** ociuhandu has quit IRC17:12
*** ociuhandu has joined #openstack-meeting17:12
*** jmasud has quit IRC17:19
*** ociuhandu_ has joined #openstack-meeting17:20
*** jmasud has joined #openstack-meeting17:20
*** ociuhandu has quit IRC17:24
*** ociuhandu_ has quit IRC17:24
*** ociuhandu has joined #openstack-meeting17:28
*** ociuhandu has quit IRC17:32
*** jmasud has quit IRC17:43
*** udesale_ has quit IRC17:46
*** timburke_ has joined #openstack-meeting17:47
*** timburke has quit IRC17:50
*** jmasud has joined #openstack-meeting17:51
*** jmasud has quit IRC17:51
*** viks____ has quit IRC19:04
*** jamesdenton has quit IRC19:07
*** jamesdenton has joined #openstack-meeting19:07
*** jmasud has joined #openstack-meeting19:12
*** ewimmer_ has joined #openstack-meeting19:14
*** jmasud has quit IRC19:15
*** jamesdenton has quit IRC19:29
*** jamesdenton has joined #openstack-meeting19:29
*** jmasud has joined #openstack-meeting19:35
*** vishalmanchanda has quit IRC19:35
*** jmasud has quit IRC19:38
*** jmasud has joined #openstack-meeting19:39
*** jmasud has quit IRC19:39
*** jmasud has joined #openstack-meeting19:43
*** timburke_ has quit IRC19:50
*** timburke_ has joined #openstack-meeting19:50
*** jmasud has quit IRC19:50
*** ociuhandu has joined #openstack-meeting19:57
*** jmasud has joined #openstack-meeting20:02
*** e0ne has joined #openstack-meeting20:02
*** jmasud has quit IRC20:09
*** jmasud has joined #openstack-meeting20:10
*** jmasud has quit IRC20:10
*** jmasud has joined #openstack-meeting20:11
*** jmasud has quit IRC20:17
*** jmasud has joined #openstack-meeting20:22
*** jmasud has quit IRC20:36
*** ewimmer_ has quit IRC20:46
*** ociuhandu has quit IRC20:48
*** ociuhandu has joined #openstack-meeting20:48
*** jmasud has joined #openstack-meeting20:52
*** jmasud has quit IRC21:05
*** jmasud has joined #openstack-meeting21:11
*** ociuhandu has quit IRC21:12
*** jamesdenton has quit IRC21:30
*** jamesdenton has joined #openstack-meeting21:32
*** jmasud has quit IRC21:34
*** jmasud has joined #openstack-meeting21:38
*** e0ne has quit IRC21:44
*** jmasud has quit IRC21:48
*** jmasud has joined #openstack-meeting21:49
*** rcernin has joined #openstack-meeting22:03
*** jmasud has quit IRC22:09
*** lbragstad has quit IRC22:11
*** lbragstad_ has joined #openstack-meeting22:12
*** janders has quit IRC22:13
*** rubasov has quit IRC22:13
*** jmasud has joined #openstack-meeting22:13
*** rubasov has joined #openstack-meeting22:17
*** jmasud has quit IRC22:17
*** jmasud has joined #openstack-meeting22:18
*** jmasud has quit IRC22:37
*** jmasud has joined #openstack-meeting22:38
*** jmasud has quit IRC22:38
*** jmasud has joined #openstack-meeting22:42
*** jmasud has quit IRC23:00
*** jamesdenton has quit IRC23:00
*** jamesdenton has joined #openstack-meeting23:03
*** jmasud has joined #openstack-meeting23:13
*** jmasud has quit IRC23:20
*** jamesdenton has quit IRC23:30
*** jamesdenton has joined #openstack-meeting23:31
*** mlavalle has quit IRC23:37
*** jmasud has joined #openstack-meeting23:43
*** jmasud has quit IRC23:46
*** stand has quit IRC23:47
« Thursday, 2021-03-18 Index Saturday, 2021-03-20 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!