#openstack-meeting-4 log

14:00:47 <apuimedo> #startmeeting kuryr
14:00:48 <openstack> Meeting started Mon Sep 26 14:00:47 2016 UTC and is due to finish in 60 minutes.  The chair is apuimedo. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:51 <openstack> The meeting name has been set to 'kuryr'
14:01:04 <apuimedo> Hello and welcome all to another kuryr meeting
14:01:08 <vikasc> o/
14:01:14 <apuimedo> who's here for the meeting?
14:01:18 <limao_> o/
14:01:20 <lmdaly> o/
14:01:42 <apuimedo> irenab: banix: are you in there?
14:01:54 <banix> o/
14:02:11 <yedongcan> o/
14:02:20 <tonanhngo> 0/
14:02:35 <apuimedo> #info vikasc limao_ lmdaly banix yedongcan tonanhngo apuimedo present
14:02:43 <apuimedo> Thank you all for joining today!
14:02:58 <apuimedo> #topic kuryr: rest/rpc
14:03:17 <vikasc> i am sorry, could not update the patches.
14:03:27 <vikasc> tagetting this week
14:03:35 <apuimedo> #info A deployment configuration patch from vikasc got merged https://review.openstack.org/362023
14:03:49 <apuimedo> vikasc: no worries, I just cherry-picked what was ready to be merged
14:03:57 <mchiappero> o/
14:04:00 <vikasc> apuimedo, thanks
14:04:03 <apuimedo> looking forward to review new versions of the other ones
14:04:23 <apuimedo> #action vikasc to rework the other patches
14:04:32 <apuimedo> #link https://review.openstack.org/362023
14:04:33 <ivc_> o/
14:04:42 <apuimedo> #link https://review.openstack.org/361993
14:04:49 <apuimedo> welcome mchiappero and ivc_
14:05:13 <apuimedo> vikasc: is there anything about the rest/rpc you want to bring up?
14:05:41 <vikasc> apuimedo, nothing specific.
14:06:11 <apuimedo> reminder to others: this is about having the kuryr daemons that run in instances communicate with a kuryr server outside of the nova instances to perform the neutron/keystone actions
14:06:16 <apuimedo> vikasc: ok
14:06:30 <apuimedo> #topic kuryr: port binding
14:07:28 <apuimedo> #info lmdaly contributed a PoC patch for ipvlan based kuryr networking in the mailing list http://lists.openstack.org/pipermail/openstack-dev/2016-September/104166.html
14:08:14 <apuimedo> #info apuimedo took the ipvlan part of it, added macvlan too and submitted a WiP patch againts opentack/kuryr https://review.openstack.org/375864
14:08:25 <apuimedo> lmdaly: did you have time to take a look at the WIP patch?
14:08:51 <lmdaly> yeah I had a quick look - not too in depth look yet
14:08:52 <apuimedo> The idea is that if we add the ipvlan/macvlan code to kuryr-lib we'll be able to leverage it for both kuryr-libnetwork and kuryr-kubernetes
14:09:21 <apuimedo> so I took the liberty of doing that with part of what I saw on your patch
14:09:33 <apuimedo> I wonder if it would be usable for Ironic
14:09:39 * apuimedo has no idea, never tried ironic
14:10:04 <apuimedo> lmdaly: quick question, why do you set the L2_Mode for ipvlan instead of the L3_mode
14:10:25 <apuimedo> I am not familiar with the distinction between the modes in the kernel driver
14:12:14 <apuimedo> well, we can get back to it in a moment :-)
14:12:15 <mchiappero> L2 should allow brodcast frames to be received by the containers
14:12:41 <apuimedo> oh, that's interesting
14:12:49 <mchiappero> I can't tell about Ironc, but I guess it might work (to be verified)
14:13:02 <apuimedo> #topic kuryr-libnetwork: dropping netaddr
14:13:58 <apuimedo> #info we are dropping netaddr as ipaddress is part of the core standard library in python3 and it has a backport in python2. The change has already landed in kuryr-lib and it is under review for kuryr-libnetwork. Please use ipaddress in new code
14:15:02 <apuimedo> if there is any question on that, let me know. I'm now verifying it's operation
14:16:06 <apuimedo> #topic kuryr-libnetwork: container-in-vm
14:17:00 <apuimedo> #info Part of the PoC lmdaly submitted should be incorporated into the kuryr-libnetwork codebase http://lists.openstack.org/pipermail/openstack-dev/2016-September/104166.html
14:17:28 <apuimedo> #action apuimedo to find a way to pass the instance neutron port + the newly allocated IP for port-binding to happen
14:18:23 <apuimedo> lmdaly: limao_: does updating the neutron port with the extra addresses make the new addresses count as allocated, if you ask Neutron IPAM?
14:18:48 <limao_> no
14:19:06 <lmdaly> +1
14:19:53 <lmdaly> you should have the new ip address in create_or_update_port so should be able to pass to binding from there?
14:19:54 <limao_> :) in my mind, you have to create port to allocate ip
14:19:57 <apuimedo> alright, so in that case, I guess, in the patch to kuryr-libnetwork, we should create a Neutron port which we'll not really bind, and pass it as nested_neutron_port
14:20:05 <apuimedo> to kuryr-lib port binding method
14:20:14 <limao_> Yes, +1
14:20:41 <mchiappero> would it be possible?
14:20:47 <pablochacin> apuimedo: is this somehow related to the idea I proposed you the other day regarding enabling plugins for the CNIDriver?
14:21:04 <ivc_> does that mean we'll never see that port as 'ACTIVE' in neutron?
14:21:04 <apuimedo> pablochacin: no, no, we'll get to that later :P
14:21:23 <apuimedo> ivc_: that's the unfortunate side effect, yes
14:21:45 <apuimedo> ivc_: limao_ mchiappero lmdaly: is there a way to interface directly with Neutron's IPAM?
14:21:56 <limao_> Yes, it will be never ACTIVE, because we never "bind" this port in neutron
14:22:01 <ivc_> so we are using neutron port but neutron does not know about it ... can't say i like that idea
14:22:17 <apuimedo> IMHO it could be argued with Neutron folks that updating allowed_address_pairs could warrant an IPAM update on the neutron side
14:22:32 <lmdaly> briefly investigated but found that creating a port was the only way (that I could find) to reserve IP
14:22:58 <apuimedo> so how about we do two things in parallel:
14:23:31 <ivc_> apuimedo that would be a much cleaner approach imho. also are you sure that security groups / iptables work correctly?
14:23:42 <apuimedo> a) in kuryr-libnetwork for now we Create the ipam reservation port and pass it to kuryr-lib's port binding. Then update the instance port allowed address pairs
14:24:00 <apuimedo> b) Submit to Neutron the request to update the IPAM with allowed address pairs
14:25:04 <apuimedo> ivc_: IIRC, allowed address pairs cleans the iptables that would kill the communication
14:25:11 <apuimedo> s/cleans/tweaks/
14:25:39 <apuimedo> ivc_: security groups wise it won't matter, because all communication is allowed within a security group
14:25:53 <vikasc> apuimedo, how 'b' would be done?
14:26:18 <apuimedo> and since the instance port and the reservation port have the same security group, it should probably work
14:26:32 <apuimedo> vikasc: I'll start by asking some neutron folks if they think the idea is crazy
14:26:38 <apuimedo> then I'll update the ml
14:26:40 <lmdaly> There is also an issue with updating the allowed-address-pairs as the longer the list of IPs the longer it takes to update port - it would be much easier if it the list could be appended to when updating the instance port
14:26:46 <apuimedo> #action apuimedo to update the mailing list
14:26:54 <vikasc> apuimedo, got it, thanks
14:27:17 <limao_> I believe b) will not be accepted neutron in my mind, as allowed address pairs is to add exception for anti-ip-spoofing...
14:27:22 <apuimedo> lmdaly: that's why I want to propose that updating the instance port triggers the ipam reservation
14:27:49 <apuimedo> limao_: I was hoping for some flag
14:28:07 <limao_> OK, let's have a try ~
14:28:10 <apuimedo> lmdaly: as I agree that paying iptables price plus an extra roundtrip is not a good price
14:29:04 <limao_> Is there possible to have option 3), disable port security when create network
14:29:23 <apuimedo> limao_: I'm not sure that would be acceptable in the Magnum context
14:29:36 <mchiappero> also, the 10 IPs limits is a bit annoying, unless can be overridden programmatically
14:29:39 <hongbin> o/
14:29:58 <apuimedo> mchiappero: I think it is reasonable to ask for configuration changes
14:30:26 <mchiappero> apuimedo: but I presume the limit is there for a reason
14:31:00 <limao_> I'm not sure how to use security group since all the containers on the vms will share the vm port security group
14:31:01 <apuimedo> mchiappero: I can only imagine it is to prevent abuse
14:31:17 <mchiappero> apuimedo: overriding is usually not great, and can be confusing when troubleshooting, but in this use case it's definitely too low
14:31:52 <apuimedo> limao_: this ipvlan proposal assumes all the containers are on the same network as the instance, so it feels right that they implicitly receive the same security group policing as the instance port
14:32:03 <apuimedo> mchiappero: agreed
14:32:05 <mchiappero> apuimedo: it would be interesting to hear from the neutron folks
14:32:38 <hongbin> limao_: I guess it is OK, since security group is openstack-specific. Docker users won't care the security group too much
14:32:43 <apuimedo> mchiappero: in the future, ocata/pike, I hope we can use the "vlan" aware VMs with IP/mac segmentation instead of Vlans
14:32:58 <apuimedo> which will allow us to have containers in different nets than the instances
14:33:28 <apuimedo> but I feel like this proposal from lmdaly's team is a good short term compromise while we get there
14:33:41 <vikasc> limao_, sorry, i think i missed context somewhere. Why do we want to disable security groups?
14:33:41 <apuimedo> and it will provide us with a lot of information about the path forward
14:34:24 <apuimedo> hongbin: limao_: you'd have to disable port security for the instance port too, I'm afraid
14:34:29 <apuimedo> not just the containers
14:35:06 <limao_> vikasc:  port security is not only security group, but also anti-ip-spoofing , anti-arp-spoofing, anti-mac-spoofing
14:35:28 <hongbin> apuimedo: how about to have all containers to share a security group
14:35:30 <limao_> allowed address pair is to add exception for anti-ip-spoofing
14:35:40 <apuimedo> hongbin: that's what the proposal says
14:35:46 <hongbin> apuimedo: ok
14:35:58 <apuimedo> hongbin: as I said, I think it is a good first step
14:36:13 <apuimedo> but it definitely has its caveats as you can see
14:36:23 <limao_> apuimedo: port-security can be done in port level and network level I believe
14:36:46 <apuimedo> limao_: can you elaborate on the network level?
14:36:58 <apuimedo> (we should take this to #openstack-kuryr after the meeting)
14:37:05 <apuimedo> (other topics to tackle)
14:37:10 <vikasc> limao_, is it like undoing the effects of creating neutron port?
14:37:56 <limao_> Let's discuss after meeting vikasc, apuimedo
14:38:01 <apuimedo> agreed
14:38:04 <apuimedo> thanks limao_
14:38:07 <vikasc> limao_, sure +1
14:38:40 <apuimedo> #action discuss port creation/security group in container-in-vm at #openstack-kuryr
14:38:52 <apuimedo> #topic kuryr-libnetwork: outstanding bugs
14:39:23 <apuimedo> #info yedongcan has done some much needed bug scrubbing on the kuryr-libnetwork project
14:40:07 <apuimedo> I would request active contributors who have reported bugs to check if their open bugs are still unaddressed, if so, please, mark them as triaged, otherwise mark them as resolved
14:40:48 <apuimedo> in case it's not clear, please, bring it up on IRC or on the mailing list, we have a long list of bugs and we need to do a better job at cleaning up the queue
14:41:15 <apuimedo> I would like to propose that each week somebody takes the new bug triaging duty
14:41:43 <apuimedo> #info apuimedo proposes "weekly new bug triaging" rotating duty
14:42:16 <vikasc> +1
14:42:19 <apuimedo> #action apuimedo to review latest comments on https://launchpad.net/bugs/1626011
14:42:30 <openstack> apuimedo: Error: Could not gather data from Launchpad for bug #1626011 (https://launchpad.net/bugs/1626011). The error has been logged
14:42:41 <apuimedo> yedongcan: sorry I didn't get to your comments yet :(
14:43:23 <apuimedo> #topic kuryr-kubernetes
14:44:16 <apuimedo> #info We now have a kuryr-kubernetes devstack plugin. It should give you a nice setup for the integration work with the OSt pieces in the host and the unmodified Kubernetes pieces in containers
14:44:30 <apuimedo> let me know if you encounter any issues with it
14:44:56 <apuimedo> We should definitely use this to add fullstack tests as we contribute new code
14:45:41 <apuimedo> any questions about the devstack plugin?
14:46:10 <apuimedo> alright, moving on
14:46:35 <apuimedo> #topic kuryr-kubernetes: python3 asyncio
14:47:42 <apuimedo> #info pablochacin proposed on IRC a pluggable CNI approach so that if the CNI driver sees some specific annotations, it can execute scripts
14:48:11 <apuimedo> this would allow vendors and other integrations to be properly timed with the kuryr binding
14:48:34 <apuimedo> #info we'd allow plugin scripts before and after binding
14:49:30 <ivc_> what would the script api look like? what/how info would be pushed to them?
14:49:45 <ivc_> and do we have an actual use case for it?
14:50:02 <apuimedo> pablochacin: can elaborate on the example use cases
14:50:10 <ivc_> (but i like the idea in general)
14:51:02 <pablochacin> The idea is to allow third-party components to be informed about bindings
14:51:03 <apuimedo> the api would be basically adding annotation to the pod resource
14:51:14 <apuimedo> if the pod resource has an annotation like
14:51:25 <apuimedo> before_nic_binding
14:52:03 <apuimedo> {'my_extension': {..}}
14:52:09 <apuimedo> you'd go to the /usr/libexec/kuryr/before_nic_binding/my_extension
14:52:10 <ivc_> why could not 3rd party components watch the resources the same way we do?
14:52:15 <pablochacin> apuigmedo: I if you are talking about my proposal, i wasn't thinking about using pod annotations
14:52:30 <apuimedo> and pass it the data in {...}
14:52:50 <apuimedo> pablochacin: oh, sorry, I was projecting a bit of what I thought about it
14:53:00 <pablochacin> no problem.
14:53:04 <ivc_> we should probably discuss it on #openstack-kuryr after meeting
14:53:13 <apuimedo> pablochacin: I think the best is we do a mailing thread about it
14:53:16 <apuimedo> ivc_: ^^
14:53:20 <pablochacin> Ok, better
14:53:33 <apuimedo> we can then catch each other on IRC to bounce ideas off in real time too
14:53:42 <apuimedo> pablochacin: anything else from your side?
14:53:58 <apuimedo> #action pablochacin to send the CNI plug scripts proposal to the mailing list
14:55:03 <apuimedo> #topic kuryr-kubernetes: python2/3 eventlet
14:55:30 <apuimedo> #info ivc_ sent quite a few patches for his PoC to the kuryr-kubernetes gerrit queue
14:55:35 <apuimedo> but most importantly
14:55:45 <apuimedo> for its repercussions on the rest of the project
14:56:15 <apuimedo> #info ivc_ proposes adopting Oslo versioned objects for communication to the binding side of Kuryr
14:56:48 <apuimedo> so kuryr-libnetwork would use them when talking to the rest/rpc
14:57:02 <apuimedo> kuryr-lib port-binding should probably know about them
14:57:22 <apuimedo> and kuryr-lib CNI (which I'm doing) should definitely know about it
14:57:29 <ivc_> we can start with ovo for annotations now and translate to neutron port dict when passing to port-binding
14:57:42 <apuimedo> ivc_: yes, that's the easiest way
14:57:57 <apuimedo> kuryr-lib CNI translates to current port form for the current port-binding code
14:58:35 <ivc_> but eventually i see kuryr-lib binding using ovo
14:59:06 <apuimedo> #action apuimedo work oslo versioned objects into the kuryr-lib CNI driver
14:59:23 <apuimedo> ivc_: anything else you'd want to share?
14:59:43 <apuimedo> (two minutes remaining, sorry)
14:59:50 <ivc_> not really :)
15:00:04 <ivc_> oh just that ha works with eventlet :)
15:00:16 <banix> is there a minimum linux kernel version we require?
15:00:42 * banix jumps the gun
15:00:51 <apuimedo> #topic general
15:00:57 <jimbaker> hi, we are waiting on our #craton meeting to start
15:01:03 <syed_> o/
15:01:08 <apuimedo> banix: Do not think so, but generally el7 is the oldest
15:01:15 <apuimedo> jimbaker: syed_ closing, sorry
15:01:22 <banix> thx
15:01:27 <jimbaker> np
15:01:30 <apuimedo> #info devvesa presented kuryr in openstack nordic
15:01:33 <apuimedo> #endmeeting