#openstack-meeting-alt log

15:01:16 <bswartz> #startmeeting manila
15:01:17 <openstack> Meeting started Thu Jan 30 15:01:16 2014 UTC and is due to finish in 60 minutes.  The chair is bswartz. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:20 <openstack> The meeting name has been set to 'manila'
15:01:26 <bswartz> hello folks
15:01:27 <aostapenko> hello, everyone
15:01:29 <yportnova> hi
15:01:32 <caitlin56> hello
15:01:34 <vponomaryov> Hello
15:01:35 <scottda> Hi
15:01:39 <gregsfortytwo1> hi
15:01:47 <bswartz> #link https://wiki.openstack.org/wiki/ManilaMeetings
15:01:49 <shamail> Hi
15:01:54 <rraja> hi
15:01:56 <csaba> hello
15:02:16 <bswartz> some of us were having a discussion earlier this week that I think the whole group would find interesting
15:02:28 <bswartz> (also I'm hoping someone has a genius idea that will solve the problem)
15:02:45 <bill_az_> Hi everyone
15:03:04 <bswartz> so the issue is in the generic driver design, with how it connects to the tenant network
15:03:58 <bswartz> Our initial hope was that we could simply create a network port on the tenant's network and assign that to the service VM
15:04:32 <bswartz> however we don't want to make the service VM owned by the tenant for a variety of reasons
15:04:45 <ndn9797> Hi, I'm Nagesh, from Bangalore, joining manila meeting for first time..
15:04:47 <bswartz> 1) We don't want it to count against the tenant's quotas
15:04:54 <bswartz> 2) We don't want the tenant to accidentally delete it
15:05:41 <yportnova> ndn9797: Hi
15:05:42 <bswartz> 3) We want to hide manila backend details from the tenant to the extent possible
15:05:52 <bswartz> ndn9797: hello and welcome!
15:06:19 <bswartz> so it's preferrable for the service VMs created by the generic driver to be owned by some special service tenant
15:06:48 <bswartz> however it seems that either nova or neutron or both won't let us connect a VM owned by one tenant to a network owned by another tenant
15:07:21 <bswartz> one potential workaround is to allow the service VMs to have their own separate network and to simply provide routing between that network and tenant networks
15:07:34 <bswartz> I find that workaround to be complex and error prone
15:07:56 <gregsfortytwo1> there isn't an infrastructure for "admin" nodes or whatever to be connected to anybody they want?
15:08:03 <bswartz> but without making changes to nova or neutron or both, it seems to be the only option
15:08:29 <vponomaryov> gregsfortytwo1: problem in assigning user tenant port to service tenant vm
15:08:50 <bswartz> oops I forgot to set the topic
15:08:59 <bswartz> #topic Generic Driver Networking
15:09:21 <shamail> Would assigning a static IP to the service VM bypass the separate tenant/network issue?  Assuming there's a way for us to do this.
15:09:23 <bswartz> okay so hopefully most of you understand the problem
15:09:50 <aostapenko> I have news since yesterday, it's quite easy to configure routers, so we will not need any additional route rules in vm in our private network
15:10:00 <bswartz> shamail: the IP will end up getting assigned by neutron and will be effectively static
15:10:02 <ndn9797> I understand the problem now. Thanks <bswartz>
15:10:03 <shamail> The issue is with floating IPs and being assigned cross-tenants, no?  Might be completely mistaken since I wasn't in the discussions earlier.
15:10:07 <bswartz> but it will be an IP from a separate network
15:10:12 <gregsfortytwo1> has anybody talked to people in the other groups yet? I'm surprised there's not an accepted model already
15:10:41 <bswartz> gregsfortytwo1: I think that nobody is doing anything that requires what we want
15:10:50 <bswartz> since you always have the option of setting up virtual routes between tenants
15:10:51 <shamail> But the assignment mechanism (e.g. Neutron) is the issue, not the address space itself so couldn't we find an alternative way to assign?
15:11:00 <gregsfortytwo1> everybody else is still just doing things through the hypervisor? really?
15:11:05 <bswartz> no it's not actually an IP issue
15:11:16 <shamail> Okay.
15:11:34 <bswartz> we can allocate a port on the tenants network, we just can't assign it to our VM through nova
15:11:59 <bswartz> we could still fake it and use the IP within the VM -- but without actual bridging of the packets thats useless
15:12:49 <bswartz> gregsfortytwo1: I'm not sure what you mean
15:12:57 <aostapenko> we'd like to share docs about how generic driver is implemented now
15:13:12 <bswartz> gregsfortytwo1: I think people are using their own tenant networks currently, and when they need connectivity they're setting it up through neutron routes
15:13:15 <aostapenko> https://docs.google.com/a/mirantis.com/drawings/d/1sDPO9ExTb3zn-GkPwbl1jiCZVl_3wTGVy6G8GcWifcc/edit
15:13:25 <aostapenko> https://docs.google.com/a/mirantis.com/drawings/d/1Fw9RPUxUCh42VNk0smQiyCW2HGOGwxeWtdVHBB5J1Rw/edit
15:13:35 <aostapenko> https://docs.google.com/a/mirantis.com/document/d/1WBjOq0GiejCcM1XKo7EmRBkOdfe4f5IU_Hw1ImPmDRU/edit
15:13:57 <bswartz> the ideal case for me is that we can create a VM that right on the tenant's network but the VM is hidden from them and doesn't count against their quotas
15:14:10 <caitlin56> Could we do this the opposite way? Rather than giving each machine in each tenant network access to the management network, could we give the management machine a floating IP on each tenant network?
15:14:29 <bswartz> caitlin56: yes that's an option, but it has some problems
15:15:08 <bswartz> in particular, the security services that the storage server needs to communicate with will be inside the tenant network
15:15:25 <bswartz> so the "service VM" will need routes back into the tenant network
15:15:34 <caitlin56> There is an even better option, but I do not think neutron supports it, you place the management computer in a "DMZ VLAN" and allow routing to the DMZ from any tenant network.
15:15:43 <bswartz> we may be able to get that to work by just setting up the routes
15:16:05 <bswartz> caitlin56: we need 2-way routing though
15:16:13 <caitlin56> The gotcha is that all tenant networks have to be NATtted to a unique address on the tenant network.
15:16:20 <gregsfortytwo1> I'm not a network engineer so this is all a bit beyond me, but what's error-prone about setting up the routes?
15:16:57 <aostapenko> bswartz: yes, we can do so, and it's not difficult
15:16:57 <caitlin56> gregsfortytwo: the problem is that the tenant networks can all think they are 10.0.0.0/8
15:17:10 <bswartz> gregsfortytwo1: perhaps error-prone was the wrong phrase -- what I meant was that there's a lot of complexity with network routes and testing all the corner cases seems like a huge problem
15:17:49 <bswartz> aostapenko thinks he can make it work so it's what we're going to try
15:17:52 <gregsfortytwo1> isn't that Somebody Else's Problem? (where Somebody Else is neutron)
15:17:59 <scottda> If the ideal solution involves work from Neutron (and perhaps Nova), it might be worth trying to get a blueprint together for those team. Neutron doesn't seem to be too locked down for new features.
15:18:09 <bswartz> I just wanted to throw this problem out to the larger group to see if we could find a better way
15:18:15 <gregsfortytwo1> we don't just say "connect this IP and this network" or similar?
15:19:19 <bswartz> gregsfortytwo1: it's a question of the routing rules -- which packets go to which gateways
15:19:28 <caitlin56> The trick is that you need very specific firewall and NAT rules to be set up properly. You want to allow each tenant network to use the same addresses, and you doi not want to allow general traffic from the tenant networks.
15:20:08 <bswartz> consider this: the service network will have sime CIDR range, and that range will need to be mapped into every tenant's routing tables
15:20:20 <caitlin56> The setup I have seen, each tenant is NATted to the DMZ, and routing is limited to the DMZ subnet (i.e. no packets transit the DMZ).
15:20:33 <bswartz> if any tenant is using those same addresses for something (perhaps a VPN connectiong to a corporate network) we will get an address collision
15:20:42 <bswartz> connection*
15:20:50 <caitlin56> bswartz: it's ont he
15:21:04 <caitlin56> DMZ thaty we need to do the routing.
15:21:39 <shamail> Wouldn't that still require something to maintain the NAT entries and provision the addresses?  How would this be from a maintenance perspective?
15:21:46 <caitlin56> The assumption is that the DMZ has a public IPV4 or ipv6 subnet - something a tenant should not be using.
15:22:14 <bswartz> caitlin56: you're proposing that service VMs be given public addresses?
15:22:31 <caitlin56> You allow a route from each tenant network to that specific public subnet,  and you NAT tranlate every packet when routed.
15:22:57 <bswartz> caitlin56: how do the service VMs tunnel back into the tenant networks?
15:23:00 <caitlin56> It can be PNAT or block NAT translation, but here PNAT seems more appropriate.
15:23:22 <aostapenko> we'd like to avoid using NAT at all because of nfs limitations
15:23:28 <caitlin56> That's where you need NAT rather than PNAT.
15:24:01 <bswartz> yeah the whole idea is to deliver a driver that works similarly to a VLAN-based mutlitenancy solution which requires full 2-way network connectivity
15:24:19 <bswartz> NAT causes problems
15:24:26 <caitlin56> The only way to avoid NAT is to have the management server run lots of network namespaces and essentially "route" to the correct process before doing IP routing.
15:24:37 <bswartz> if NAT is going to be required then I'm inclined to use the gateway-mediated multitenancy model
15:25:47 <scottda> Sorry I may have missed this, but why not a Neutron admin subnet?
15:26:02 <bswartz> scottda: you may need to explain what that is...
15:26:16 <aostapenko> We're using 1 service network and multiple subnets in it with different cidrs
15:26:53 <scottda> Some feature, yet to be implemented, that allows an admin to setup neutron networking across tenants.
15:27:07 <scottda> and subnets
15:27:26 <caitlin_56> Sorry about the drop. Anyway there is ultimately only two choices: you create a set of unique IP addresses visisble tot he manager (via NAT or PNAT), or you create slave processes which have uniwuenetwork namespaces and hence can join the tenant network without reservation.
15:27:56 <bswartz> scottda: that sounds like exactly what we need
15:28:09 <bswartz> scottda: if it's not implemented though then we're still left without a solution
15:28:21 <csaba> bswartz: as of gateway mediated, in the original concept gateway was equal to hypervisor, but for sake of network separation we thought we'd need service vm-s for gateway role so as long as this view held, I don't see how is that simpler as of network plumbing
15:28:25 <scottda> Well, if the ideal place for this is in Neutron, we could attempt to get it in Neutron.
15:29:02 <scottda> It might take a bit more time, but we will be living with this solution for a long time. Years.
15:29:05 <caitlin_56> But if our plan is to get Neutron improved first we will need an interim workaround.
15:29:08 <bswartz> I do think the ideal place is in neutron
15:29:21 <bswartz> Or nova
15:29:39 <bswartz> some way to create special vms that span tenants
15:30:02 <bswartz> scottda: are in a position to get something like that implemented?
15:30:08 <scottda> I'm not certain, but my instinct is that it will be easier to get a change through Neutron than Nova. Just from a standpoint that Neutron is newer, and changing faster.
15:30:30 <scottda> I have teammates who work on Neutron. I can certainly fly the idea past them to get some feedback.
15:30:42 <caitlin_56> Linux namespaces provides the tools needed. Trying to bypass neutron to use them will be very tricky.
15:31:05 <scottda> They might have already discussed such a thing, or have a quick answer like "sure, sounds doable" or "no way, already thought of that" I really don't know.
15:31:27 <bswartz> caitlin_56: there's nothing technically complicated about allowing a service VM to be directly on a tenant's network
15:31:44 <bswartz> it's an administrative limitation that prevents us from doing what we want
15:32:04 <bswartz> possibly there are security implications
15:32:26 <caitlin_56> How do you know which tenant you are talking to?
15:32:53 <bswartz> there's one VM per tenant
15:33:12 <aostapenko> actually one vm per share-network
15:33:14 <bswartz> so you have a 1-to-1 mapping and you can track that
15:33:21 <caitlin_56> How do you talk with tenant X? You have to select the  namespace before the IP address is any good.
15:33:28 <bswartz> well yeah, thanks aostapenko
15:33:52 <bswartz> caitlin_56: it's no different than if tenant X had created a new VM himself
15:34:06 <bswartz> however the owner of that VM needs to be us
15:34:24 <bswartz> or the "service tenant" as we've been saying
15:34:53 <bswartz> there is the issue of how the manila-share service talks to these special VMs, but that's also a solvable problem
15:35:35 <scottda> I'll start a dialogue with some Neutron devs about feasibility of an admin network. There's still the issue of the service VM.
15:36:05 <bswartz> scottda: thx -- I'll follow up w/ you after this meeting because I'm very interested in that approach
15:36:12 <caitlin_56> scottda: this is a general problem, not unique to NFS. So neutron should be willing to listen.
15:36:43 <scottda> Yes, I'll need to get some more info as I'm not as up to speed on Manila as I'd liket to be
15:36:53 <bswartz> okay enough on that
15:36:57 <scottda> caitlin_56: agreed. I think I can sell it :)
15:37:00 <bswartz> let's jump to dev status
15:37:05 <bswartz> #topic dev status
15:37:20 <vponomaryov> i will update about it
15:37:32 <bswartz> vponomaryov: ty
15:37:40 <vponomaryov> Dev status:
15:37:40 <vponomaryov> 1) Generic driver - https://review.openstack.org/#/c/67182/
15:37:50 <vponomaryov> Lion part of work is done
15:37:50 <vponomaryov> TODO:
15:37:50 <vponomaryov> a) Finalize work of routers and routes between Vm in service tenant and vm in user tenant
15:37:50 <vponomaryov> b) Write unittest
15:38:17 <vponomaryov> Info, mentioned before:
15:38:17 <vponomaryov> https://docs.google.com/a/mirantis.com/drawings/d/1sDPO9ExTb3zn-GkPwbl1jiCZVl_3wTGVy6G8GcWifcc/edit
15:38:17 <vponomaryov> https://docs.google.com/a/mirantis.com/drawings/d/1Fw9RPUxUCh42VNk0smQiyCW2HGOGwxeWtdVHBB5J1Rw/edit
15:38:17 <vponomaryov> https://docs.google.com/a/mirantis.com/document/d/1WBjOq0GiejCcM1XKo7EmRBkOdfe4f5IU_Hw1ImPmDRU/edit
15:38:44 <vponomaryov> 2) NetApp Cmode driver - https://review.openstack.org/#/c/59100/
15:38:45 <vponomaryov> TODO: bugfixing and retesting
15:39:07 <vponomaryov> 3) We have open item about share-networks, that should be disscussed and if accepted will take some time for implementation.
15:39:34 <bswartz> vponomaryov:  what open issue?
15:39:38 <vponomaryov> Should I begin with open item?
15:39:44 <bswartz> vponomaryov: yes pls
15:39:57 <vponomaryov> Open item: With current code, Vserver (VM) will be created (with data from share-network) only on first share creation call.
15:40:13 <vponomaryov> its true for both drivers
15:40:19 <vponomaryov> Problem:
15:40:19 <vponomaryov> Current realisation assumes creation share and Vserve for itr. And it can be failed due to improper share-network data. So, user would like to use already activated share-networks, and wait much less time.
15:40:19 <vponomaryov> Also, due to mechanism of mapping security service to share network, we shouldn't try create Vserver (VM) on share network creation.
15:40:45 <vponomaryov> Proposal:
15:40:45 <vponomaryov> We can have command for share-network like "initialize" or "run", to make it, when we (admin) are ready.
15:41:06 <bswartz> vponomaryov: you're saying we don't error check the parameters used for share-network-create until long after the API call succeeds?
15:41:46 <vponomaryov> we are checking this data on creation of Vserver, and we do this on first share creation call
15:42:01 <bswartz> well here's the thing
15:42:26 <bswartz> even if we create a vserver before we need to, we may need to create another one at some point in the future
15:42:44 <bswartz> any share-create call can result in a new vserver getting created
15:43:03 <vponomaryov> yes, use r will have a choise between active share-networks
15:43:12 <vponomaryov> which one to use
15:43:17 <bswartz> now I agree that its probably worthwhile to at least validate the params passed in 1 time at the beginning
15:43:45 <bswartz> but that won't prevent us from having issues if something changes behind our back
15:44:13 <vponomaryov> so, we should not only check, we should create Vserver
15:44:41 <vponomaryov> if its creation is successfull, we have active share-network
15:44:42 <bswartz> anyone else have an opinion here?
15:44:58 <caitlin_56> bswartz: that is an unsolvable problem. The fact that you cannot launch a VM right now does not mean that the configuration is incorrect - only that it probably is.
15:44:59 <bswartz> I think I can live with creating an empty vserver, just to validate the parameters passed in
15:45:47 <vponomaryov> caitlin_56: +1, a lot of issues won't be caused by improper data itself
15:46:03 <vponomaryov> we should know, we have a Vserver
15:46:11 <vponomaryov> and can crete share
15:46:28 <caitlin_56> You either allow "speculative" networks or you prevent some legitimate configuration from being accepted due to a temporary network glitch.
15:47:32 <bswartz> caitlin_56: are you against the proposal?
15:47:49 <bswartz> I think it's fine to do it -- the biggest downside is wasted resources
15:48:57 <bswartz> okay if noone opposed then I say go ahead with it vponomaryov
15:49:09 <bswartz> #topic open discussion
15:49:16 <vponomaryov> ok
15:49:23 <caitlin_56> bswartz: I'd raise a error, but allow an operator to override - "no this config is correct even if you can't do it right now."
15:49:26 <bswartz> any other topics for this week?
15:49:55 <bswartz> caitlin_56: if it won't work right now the tenant can try agian later when it will work
15:49:56 <vponomaryov> A couple with launchpad BPs
15:50:15 <bswartz> caitlin_56: there's little value it setting something up early if that thing is useless until a later time
15:51:33 <vponomaryov> bswartz: BP https://blueprints.launchpad.net/manila/+spec/join-tenant-network can be marked as implemented,
15:51:33 <vponomaryov> bugs left according to its changes. + approved change for share-networks
15:51:34 <bswartz> vponomaryov: I'm here
15:51:55 <bswartz> I'm there rather
15:52:22 <vponomaryov> and second
15:52:33 <vponomaryov> If we drop xml support, BP https://blueprints.launchpad.net/manila/+spec/xml-support-to-client should be marked as invalid.
15:52:40 <vponomaryov> Do we drop XML support?
15:52:44 <bswartz> ack my browser is crashing
15:53:20 <bswartz> oh yes
15:53:39 <bswartz> it came to my attention this week that the Nova project is dropping support for XML in their v3 API
15:53:54 <bswartz> so I see no reason to support XML in any version of our API
15:54:04 <ndn9797_> fine with XML drop..
15:55:07 <vponomaryov> I have no questions
15:55:13 <vponomaryov> thanks
15:55:26 <bswartz> okay
15:55:29 <bswartz> thanks everyone
15:55:52 <aostapenko> thanks, bye
15:55:54 <bswartz> #endmeeting