#openstack-meeting-4 log

16:01:16 <Sukhdev> #startmeeting ironic_neutron
16:01:16 <openstack> Meeting started Mon Jun  6 16:01:16 2016 UTC and is due to finish in 60 minutes.  The chair is Sukhdev. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:19 <openstack> The meeting name has been set to 'ironic_neutron'
16:01:24 <TheJulia> o/
16:01:27 <mjturek1> o/
16:01:35 <hshiina> o/
16:01:48 <Sukhdev> good morning everybody
16:02:02 <devananda> o/
16:02:09 <jroll> \o
16:02:14 * jroll in another meeting at the same time again :(
16:02:30 <amotoki> o/
16:02:30 <Sukhdev> jroll : no worries - thanks for attending here
16:02:38 <Sukhdev> #topic: Agenda
16:02:44 <Sukhdev> #link: https://wiki.openstack.org/wiki/Meetings/Ironic-neutron#Meeting_June_6.2C_2016
16:03:13 <Sukhdev> Let me know if anybody would like to add anything to the agenda
16:03:34 <Sukhdev> #topic: Announcements
16:03:46 <Sukhdev> I have no announcements
16:03:55 <Sukhdev> Anybody has any announcements?
16:04:28 <Sukhdev> BTW, I updated my system with the latest patches - will provide update in a bit
16:04:56 <Sukhdev> #topic: Action Items from previous weeks
16:05:23 <Sukhdev> I had an action item to check if neutron is creating a model for the bonded interface
16:05:38 <Sukhdev> based upon this spec - https://review.openstack.org/#/c/182242/14/specs/newton/approved/user-controlled-sriov-ports-allocation.rst
16:06:03 <Sukhdev> I reviewed the patch as well as had discussion with Armando
16:06:30 <Sukhdev> this is a nova patch and there is nothing really being worked on neutron which we can use here for BM servers
16:06:45 <Sukhdev> sambetts : are you here?
16:06:53 <sambetts> Yup
16:07:25 <sambetts> sorry was updating the agenda
16:07:25 <Sukhdev> so, looking at the patch, it seems there is really nothing on the neutron side - it is all nova side of work
16:08:22 <Sukhdev> sambetts : no worries - did you see my comments above?
16:09:11 <sambetts> Yup, cool, thats good news then :)
16:10:03 <sambetts> I wonder if the Nova side changes can/should affect how we handle our bond placement?
16:10:10 <Sukhdev> but, the spec looks good - it requires some clarification - but, it seems nova may be able to deal with this
16:11:06 <Sukhdev> sambetts : from what I see, there is minor change in the restructuring of the models - it is mainly to give flexibility to the uses/operators
16:11:41 <Sukhdev> sambetts : but, yes, there is bond information that can be passed down to the host
16:12:54 <sambetts> ok cool, something to bear in mind from the Ironic nova driver perspective, is there a timescale on the spec? Likely to make it into newton (seems unlikely based on when the feature freeze is)?
16:13:48 <Sukhdev> sambetts : I do not follow nova side of things, I usually rely on jroll for that
16:13:51 <sambetts> I don't see anything list on the BP
16:14:07 <jroll> freeze for nova is end of june
16:14:12 <Sukhdev> I do not believe it is likely - so, we should not rely on it
16:14:28 <jroll> there isn't a large amount of work to do in nova, I think it's possible to get the current work in
16:14:38 <jroll> but not probable, I guess
16:15:32 <Sukhdev> Anything else on this topic?
16:16:08 <Sukhdev> I will add this spec on our agenda going forward so that we can track it
16:16:28 <Sukhdev> #topic: Security Groups support for Baremetal
16:17:00 <Sukhdev> So, I was testing the security group support for BM servers
16:17:53 <Sukhdev> customers really want this to secure the BM deployments
16:18:11 <Sukhdev> So, other than one issue, I got it fully working
16:18:56 <Sukhdev> when we issue neutron port-create, we are not sending the security group ID in the request, which forces neutron to apply default security group
16:19:16 <Sukhdev> which is really deny everything inbound - hence, the server will not boot
16:19:28 <Sukhdev> DHCP will fail and Server will not get IP
16:19:39 <Sukhdev> I tried to fix it two ways -
16:20:08 <Sukhdev> 1) I tried to pass the SG information in the create_port call via port_body
16:20:23 <Sukhdev> neutron did not like it - I have to find a better soulution
16:20:46 <Sukhdev> 2) Add additional rules to the SG before booting the BM
16:20:59 <Sukhdev> 2) worked like a champ
16:21:22 <Sukhdev> and, the SG on the flip works great as well
16:21:41 <devananda> Sukhdev: should we simply be defining default SG on the prov & cleaning networks, then?
16:21:48 <sambetts> I think we should be creating our own an Ironic SG for the provisioning network, and pass it in via port create right?
16:21:54 <Sukhdev> i.e. the SG specified on nova boot --security-group works just fine
16:21:54 <devananda> :)
16:22:22 <Sukhdev> devananda : yes  - we can solve it two ways
16:22:34 <Sukhdev> sambetts : yes - that is what I tried to do -
16:22:42 <devananda> Sukhdev: user should be able to define their own SG for the instance, which may not allow PXE boot, for example
16:22:59 <amotoki> neutron provisions implicit rules which allows DHCP in addition to SG rules.
16:23:08 <devananda> and conversely the user-specified SG should not be able to interfere with ironic's boot/clean phases
16:23:36 <amotoki> i think we can provision rules which are required for BM server provisioning.
16:23:54 <Sukhdev> amotoki : I observed two issues - 1) TFTP failed as well as BM did not get IP address on provisioing network
16:24:14 <Sukhdev> once I added ingress rules to the default SG - all worked just fine
16:24:49 <sambetts> so the problem is that we shouldn't be using the default sec group for provisioning
16:24:57 <devananda> sambetts: ++
16:25:07 <Sukhdev> So, I would like to throw out a question to the team -
16:25:12 <amotoki> Sukhdev: which phase are you talking now? provisioning phase?
16:25:15 <sambetts> we need a [neutron] security_group_id=<uuid> in the config file and should be passing it at port-create
16:25:26 <Sukhdev> amotoki : provisioning only
16:25:40 <amotoki> Sukhdev: got it
16:25:53 <Sukhdev> amotoki : when network flip takes place, everything works fine - as the correct SG is used for the tenant network
16:26:09 <Sukhdev> So, my question to the team is -
16:26:39 <Sukhdev> Do we want to add additional config knob like provisioning_network_uuid for SG ?
16:26:54 <sambetts> +1
16:27:03 <Sukhdev> this will allow operators to create their own SG for provisioning networks
16:27:21 <amotoki> at the moment, +1 to this idea
16:27:59 <Sukhdev> Or are we OK to tell them to add ingress rules to the default SG used for provisioning network
16:28:21 <amotoki> can SG rules for provision vary across operators or deployments?
16:29:03 <Sukhdev> amotoki : good question - I would guess yes
16:29:15 <devananda> I can think of cases where they would, yes
16:29:25 <sambetts> its a possiblity with customised cleaning steps etc that might say download a firmware from somewhere
16:29:33 <sambetts> or other use cases like that
16:29:53 <amotoki> If so, defining a SG for provisioning network makes sense to me.
16:30:46 <sambetts> there is the possiblity that cleaning and provisioning SG rules may also differ I guess
16:30:50 <sambetts> devananda: do you agree ^
16:30:54 <Sukhdev> amotoki : I created a SG for provisioning network and tried to hard-code to make it work
16:31:03 <devananda> sambetts: yea. in my case they wouldn't, but in theory, they could
16:31:15 <amotoki> sambetts: agree
16:32:15 <Sukhdev> So, are we agreeing that we will add two SGs to the ironic config - one for provisioning n/w and other for cleaning?
16:33:06 <sambetts> thats what I'd expect +1
16:33:25 <Sukhdev> jroll devananda : what say you?
16:34:00 <devananda> Sukhdev: +1, with docs / defaults that say "these could be the same network"
16:34:30 <amotoki> +1
16:34:56 <jroll> I haven't been paying attention enough to say
16:35:05 <Sukhdev> while jroll is probably reading the comments, amotoki I have a quesiton for you
16:35:15 <jroll> "yet another config" isn't great, but if it's needed it's needed
16:36:00 <Sukhdev> jroll : this provides flexibility to the operators and SG is a hot button with everybody
16:36:08 <jroll> right, it's probably fine
16:36:41 <Sukhdev> #agreed: We will add two SGs to the ironic config - one for provisioning n/w and other for cleaning
16:36:52 <TheJulia> I think it is okay as long as it can also be defined in the config to none because some oeprators will not use the functionality
16:36:55 <amotoki> have we discussed whether we should provide flexibility or we can achieve the goal with implicit static rules?
16:37:33 <devananda> TheJulia: very good point
16:37:43 <devananda> Sukhdev: we must be able to *disable* this as well
16:37:52 <Sukhdev> amotoki : we have to enhance the implicit rules to allow TFTP in addition to DHCP
16:38:04 <devananda> eg, because the things that work today must continue to work after this feature is added
16:38:18 <amotoki> in my mind, ironic can define implicit required rules for provisioning network.
16:38:30 <amotoki> it is different from a config option.
16:38:54 <TheJulia> Also, not understanding the implementation details, I worry how/where the packet inspection woudl take place, and if it is on a switchport level, then that might have a performance impact based upon the hardware/software in use in the operator environment, but truthfully that is just my lack of context
16:38:55 <Sukhdev> devananda TheJulia : understood - I will add text on the top of our weekly meeting wiki to clarify it - you can review it and correct it
16:39:24 <Sukhdev> amotoki : that is true - if all deployments will use the same rules
16:39:58 <amotoki> Sukhdev: correct. we can start from SG for provisioning network and if it turns out too much flexibilty, we can drop it later.
16:39:59 <Sukhdev> amotoki : if different operators have different rules (will they?) then config option is better
16:40:16 <Sukhdev> amotoki : +1
16:40:54 <Sukhdev> amotoki : I have a different question for you -
16:41:01 <amotoki> Sukhdev: what?
16:41:49 <Sukhdev> amotoki : I tried to hard code the SG ID in the port-body, for neutron port-create and neutron complains in can not find SG
16:42:47 <amotoki> hmm.... does not 'security_gorups: ["SG-ID"]' work?
16:42:55 <amotoki> *security_groups*
16:43:41 <amotoki> Sukhdev: I can test it later. i think we can discuss it separately
16:43:42 <Sukhdev> amotoki : the place where we add binding profile information to the port body (in ironic driver), I tried to add this additional information
16:43:58 <Sukhdev> amotoki : yes, lets take it off-line
16:44:12 <Sukhdev> Anybody has any thing on this?
16:44:34 <Sukhdev> amotoki and I will work out the details of how to make it work - and either one of will push the patch
16:44:54 <sambetts> where is the code right now? Didn't we dicuss in Austin it would require changes to the mech driver API
16:44:57 <sambetts> ?
16:45:00 <devananda> Sukhdev: if I'm following, then this sounds good
16:45:41 <Sukhdev> sambetts : no - no changes to the mech drivers
16:46:14 <Sukhdev> neutron already has full support for SG - all we have to do it is plumb it on the ironic driver to pass correct SG information
16:46:50 <sambetts> Sukhdev: for switch port programming of ingress/egress rules?
16:47:12 <Sukhdev> upon the network flip, it works like a charm - as we use update_port - and neutron port already has correct SG attached to it based upon nova boot parameters
16:47:41 <Sukhdev> sambetts : oh yea, I see what you are asking - yup, that work is needed of course :-)
16:49:22 <sambetts> So we can do SGs on the virtual neutron side, but we can't program the ACLs on the switch yet right?
16:49:53 <Sukhdev> sambetts : yes - thats why customers are not happy
16:50:16 <Sukhdev> Hence, we are addressing this - Arista driver supports it
16:50:23 <sambetts> Ok, whats the plan to get that done on the mech driver API / neutron side?
16:51:22 <Sukhdev> there is nothing special needed in the driver - if your driver support SG for Virtual world, it will work for BM world once we plum what we discussed here
16:51:36 <amotoki> are we talking about generic-switch driver?
16:51:55 <Sukhdev> amotoki: I was talking about of vendor drivers -
16:52:04 <sambetts> I think the problem we disucssed was something along the lines of if I update a SG, that event doesn't make it to the mech driver right now so we can't act on it
16:52:06 <Sukhdev> amotoki : more specifically Arista driver
16:52:26 <Sukhdev> sambetts : correct
16:53:07 <Sukhdev> sambetts : if we plumb it right, it will appear in the port context of the driver (as it does for virtual world) and things will fall in place
16:53:41 <sambetts> does that require changes in neutron?
16:53:41 <Sukhdev> this will bring BM at par with VM servers in terms of SG support - which is what everybody wants
16:53:48 <Sukhdev> sambetts : no
16:54:01 <sambetts> but if the event doesn
16:54:18 <sambetts> t make it to the mech driver, doesn't that need changing
16:55:56 <Sukhdev> sambetts: neutron does not need any change - the port context will now have correct information (which is presently missing) - the drivers can act accordingly then
16:56:09 <amotoki> sambetts: yes and no. no need for change in neutron framework including ML2 plugin. mech driver support is needed.
16:56:49 * Sukhdev lost track of time - 4 min left
16:57:03 <sambetts> Sukhdev: and if I do a neutron sec-group-update it'll propergate to ml2 driver to update the ACLs?
16:57:27 <Sukhdev> sambetts : if you are using neutron callbacks, yes
16:57:50 <Sukhdev> sambetts : a notification is generated
16:58:12 <Sukhdev> sambetts : this is how SG works for Virtual world as well
16:58:28 <Sukhdev> sambetts : ping me off line, I can walk you through the details
16:59:01 <Sukhdev> Anything else on this?
16:59:07 <sambetts> One last question, how do we handle cases where switch hardware only supports a subset of the features of security groups? I've spoken to a couple of people who can only support single direction ACLs
16:59:48 <sambetts> is that down to the mech driver to decide?
16:59:53 <Sukhdev> sambetts: that is very vendor specific thing - you can choose to ignore any event you choose to
17:00:09 <Sukhdev> yes, it is upto vendor driver to decide
17:00:25 <Sukhdev> Folks we are out of time -
17:00:39 <sambetts> thanks guys :)
17:00:42 <Sukhdev> I will keep this on agenda for next week - we can discuss further
17:00:54 <Sukhdev> Thanks for attending - this was a great discussion
17:00:58 <Sukhdev> bye
17:01:05 <Sukhdev> #endmeeting