#openstack-meeting-4 log

19:00:10 <oanson> #startmeeting Dragonflow
19:00:11 <openstack> Meeting started Mon Jan  1 19:00:10 2018 UTC and is due to finish in 60 minutes.  The chair is oanson. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:00:14 <openstack> The meeting name has been set to 'dragonflow'
19:00:23 <oanson> So how many survived into 2018 ?
19:00:45 <leyal> Hi ,at least 2 ;)
19:00:52 <oanson> I have two workoholics, and one mean-looking cat.
19:01:22 <oanson> All right. Let's roll with this.
19:01:25 <oanson> #topic roadmap
19:01:47 <oanson> The only progress I know of is in the tempest gate.
19:02:09 <oanson> We have a single failing test remaining - cross tenant communications with Security Groups
19:02:20 <oanson> snapiri found the bug there
19:02:35 <oanson> Bug https://bugs.launchpad.net/dragonflow/+bug/1740739
19:02:36 <openstack> Launchpad bug 1740739 in DragonFlow "Security group mismatch for floating IP" [High,New]
19:02:49 <oanson> I'll go into details here, and skip it in the bugs section.
19:03:03 <oanson> Basically, we saw that the security group rules allow based on the port's IP address.
19:03:03 <leyal> cool , so we will see green tempest soon ?
19:03:15 <oanson> leyal, no. That bug is a Biggie :(
19:03:27 <leyal> :(
19:03:36 <oanson> But in cross-tenant, the packet is natted (the test uses floating IPs)
19:03:51 <oanson> So the security group rule doesn't match on the port's floating IP, only the private IP.
19:04:28 <leyal> Is that bug on the test , or bug is SG behavior ?
19:04:31 <oanson> This is doubly problematic, because if there is IP overlap between the tenants (which is allowed), then we just allowed access for a different port with that IP, which we shouldn't have
19:04:39 <oanson> The bug is in SG behaviour. This is a real bug
19:05:15 <oanson> I was hoping to get a vote today if the bug should be upgraded to critical. But I guess this will have to wait for tomorrow after everyone reviewed the log
19:05:58 <oanson> I don't have a solution of the top of my head. We need to take into account public IPs (which means mixing dNAT and SG logic)
19:06:26 <oanson> We also need to know when the private IP is routable and only take those cases into account, which means taking the destination port into account in the rules, which is not done at the moment
19:06:28 <leyal> don't sure that i understand , we don't have a port field in SG-rule
19:07:02 <oanson> The security group rules rely either on IPs (single or subnets), or on other security groups
19:07:19 <oanson> In the case of other security groups, it means all logical ports which have that security group.
19:07:31 <oanson> i.e. these ports are members of this security group
19:07:52 <oanson> Say I have ports A,B,C,D. I have security group E and F.
19:08:11 <oanson> ports A,B are attached to sec group E, and C,D are attached to group F.
19:08:11 <leyal> yep , got it.
19:08:22 <oanson> Well, I'll finish the example anyway :)
19:08:44 <oanson> Now if group E allows ssh from group F, the ports A,B should allow ssh from port C,D.
19:08:58 <oanson> And if we go through nat, it gets... strange
19:09:34 <oanson> So if anyone has a magical solution, please suggest it on the bug.
19:09:36 <leyal> so we need so sperate between ip on the same tenant , if same-tenant use internal ip , if it's other tenant use the public ip e.g NAT
19:09:54 <oanson> In essence, yes.
19:10:31 <oanson> s/same tenant/non-routable networks/. Since the scenario is also valid for same tenant, but different networks.
19:11:12 <oanson> That's all I have for roadmap. leyal, you have something?
19:11:21 <leyal> yep
19:11:29 <oanson> Shoot
19:11:44 <leyal> https://review.openstack.org/#/c/529971/
19:12:11 <oanson> Yes. Very cool, by the way!
19:12:42 <leyal> actually this patch is drivers for kuryr - for using DF to connect between kubertes pod .
19:13:05 <oanson> Yes
19:13:52 <leyal> it's just a poc , there is still a lot of work for really use DF as networking backend for k8s
19:14:06 <oanson> Yes. I see that there are some interesting comments on it
19:14:51 <leyal> yep , got many comment , i will upload new PS hopfully this week
19:15:01 <oanson> Cool. Looking forwards to testing it :)
19:15:36 <oanson> leyal, anything else on this?
19:15:48 <leyal> thats all from my side :)
19:15:54 <oanson> Cool.
19:16:10 <oanson> #topic Bugs
19:16:24 <oanson> We already discussed https://bugs.launchpad.net/dragonflow/+bug/1740739
19:16:25 <openstack> Launchpad bug 1740739 in DragonFlow "Security group mismatch for floating IP" [High,New]
19:16:30 <oanson> That's all I had that was interesting.
19:16:31 <oanson> leyal, ?
19:17:07 <leyal> I didn't know about something else
19:17:24 <oanson> Cool
19:17:24 <oanson> #topic Open Discussion
19:17:33 <oanson> I have nothing here either.
19:17:45 <leyal> me too
19:17:49 <oanson> Cool.
19:17:53 <oanson> Then thanks for coming!
19:17:56 <oanson> #endmeeting