#openstack-meeting-alt log

15:00:24 <bswartz> #startmeeting manila
15:00:24 <openstack> Meeting started Thu Jul 20 15:00:24 2017 UTC and is due to finish in 60 minutes.  The chair is bswartz. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:28 <bswartz> hello all
15:00:29 <openstack> The meeting name has been set to 'manila'
15:00:29 <cknight> Hi
15:00:45 <vponomaryov> hello
15:00:52 <ganso> hello
15:01:10 <xyang1> Hi
15:01:11 <bswartz> hopefully I won't have any network issues during this meeting -- someone seems to have tripped over a cable and broken my ethernet this morning
15:01:29 <bswartz> so I'm on (very sketchy) wifi now
15:01:38 <vkmc_> o/
15:01:39 <gouthamr> o/
15:01:41 <jungleboyj> @!
15:01:41 <_pewp_> jungleboyj (;-_-)ノ
15:02:00 <bswartz> #topic announcements
15:02:03 <jungleboyj> bswartz:  Sorry I was so clumsy.
15:02:19 <bswartz> next week is feature freeze
15:02:47 <zhongjun> hi
15:03:04 <bswartz> we are using https://launchpad.net/manila/+milestone/pike-3 to prioritize BPs and reviews
15:03:20 <dustins> \o
15:03:37 <tbarron> hi
15:03:42 <tbarron> i'm tethered to cell atm myself :(
15:03:47 <tbarron> oh, jungleboyj must be in RTP, 'splains everything
15:03:56 <bswartz> jungleboyj: if it was you that tripped over the cable, kindly fix it after the meeting is over!
15:04:19 <vponomaryov> bswartz: "Add quota for amount of share-groups" cannot have priority bigger than "Support quotas per share type", because it depends on it
15:04:20 <jungleboyj> tbarron:  No, I am in Minnesota.  Just seems like when network isn't working I get blamed.  ;-)
15:04:25 <bswartz> I'm going to go pester IT if a few reboots don't sort me out
15:05:24 <bswartz> vponomaryov: that's an implementation dependency not a design dependency right?
15:05:54 <vponomaryov> bswartz: kind of
15:06:12 <bswartz> okay well the best case is to get both merged
15:06:18 <bswartz> I'll leave the priorities alone for now
15:06:42 <bswartz> we'll just let reviews know now that there's a dependency that affects the merge order
15:06:57 <bswartz> #agenda https://wiki.openstack.org/wiki/Manila/Meetings
15:07:08 <bswartz> okay first item of business
15:07:17 <bswartz> #topic FPF Exception request - ONTAP QoS
15:07:35 <bswartz> #link http://lists.openstack.org/pipermail/openstack-dev/2017-July/119858.html
15:07:41 <bswartz> #link https://review.openstack.org/#/c/484933/
15:07:59 <bswartz> gouthamr submitted this 2 days ago on the ML
15:08:24 <toabctl> hi
15:09:07 <gouthamr> yes.. the code change seems large, but unit tests caused the code bloat..
15:09:08 <bswartz> ...quiet it here....
15:09:15 <bswartz> I hope my network hasn't failed yet
15:09:32 <bswartz> anyways there were only 2 responses on-list
15:09:48 <vponomaryov> I am ok letting it in
15:09:53 <bswartz> if there are no comments I'd like to call a vote
15:09:58 <bswartz> just to make it official
15:10:11 * gouthamr +1 :)
15:10:20 <bswartz> #startvote grant FFE for NetApp QoS? yes, no
15:10:21 <openstack> Begin voting on: grant FFE for NetApp QoS? Valid vote options are yes, no.
15:10:22 <openstack> Vote using '#vote OPTION'. Only your last vote counts.
15:10:25 <vponomaryov> yes
15:10:31 <vponomaryov> #vote yes
15:10:37 <zhongjun> #vote yes
15:10:39 <xyang1> #vote yes
15:10:41 <bswartz> #vote yes
15:10:44 <tbarron> jungleboyj: :)
15:10:46 <toabctl> #vote yes
15:10:48 <jungleboyj> #vote yes
15:10:52 <cknight> #vote yes
15:10:56 <ganso> #vote yes
15:11:06 <bswartz> jungleboyj: we only blame you for wifi related problems IIRC
15:11:25 <bswartz> 10 seconds
15:11:37 <bswartz> #endvote
15:11:37 <openstack> Voted on "grant FFE for NetApp QoS?" Results are
15:11:38 <dustins> #vote yes
15:11:39 <openstack> yes (8): bswartz, toabctl, ganso, jungleboyj, cknight, vponomaryov, xyang1, zhongjun
15:11:52 <bswartz> okay nobody opposed, the FFE is granted
15:12:00 <gouthamr> thanks everyone!
15:12:12 <jungleboyj> :-)
15:12:19 <bswartz> just a reminder as per our usual rules -- features that missed the freeze go to the back of the priority line for reviews
15:12:22 <jungleboyj> I like to keep it that way.
15:12:57 <bswartz> please focus reviews on high priority BPs, as we have a lot of unmerged stuff and not a lot of time to get it all in
15:13:23 <bswartz> next week I will be ruthless with pushing incomplete things out of the release
15:13:39 <gouthamr> bswartz: should we track on etherpad?
15:13:47 <bswartz> gouthamr: track what?
15:13:52 <bswartz> oh the reviews
15:14:05 <bswartz> yes that's something we've done in past releases
15:14:11 <bswartz> we didn't create an etherpad for pike though
15:14:17 <bswartz> and it's a bit late to start one now :-/
15:14:32 <bswartz> it's still worth doing however
15:14:35 <gouthamr> https://etherpad.openstack.org/p/pike-manila-code-review-focus
15:15:46 <bswartz> I won't fill in the whole etherpad now, but I will populate it after the meeting
15:16:01 <bswartz> and encourage people to assign themselves to reviews
15:16:26 <bswartz> there's very little time, so we won't get a chance to review the etherpad before the freeze itself
15:16:35 <bswartz> I'll just ping people in the channel as needed
15:16:42 <bswartz> thanks gouthamr
15:17:11 <bswartz> okay on to the next topic
15:17:19 <bswartz> #topic IPv6 access
15:17:27 <bswartz> some questions came up in the channel about this
15:17:51 <bswartz> I thought we had reached consensus in Barcelona but maybe not everyone remembers so it's worth revisiting
15:18:18 <bswartz> I'm strongly opposed to any kind of new "capability" bits around ipv6 that clients need to be aware of
15:18:53 <bswartz> IMO, client should be able to assign access rules to shares using ipv4 and ipv6 (assuming the share protocol supports IP access) and expect success
15:19:50 <bswartz> however for obvious reasons, ipv6 accces rules on ipv4-only shares and ipv4 access rules on ipv6-only shares will effectively do nothing
15:20:18 <bswartz> there are 2 benefits to allowing the rules despite them not doing anything
15:20:46 <bswartz> 1) when additional export locations are added later on, the rules can already exist and immediately start working at that time
15:21:17 <vponomaryov> bswartz: (1) is not practical in real deployment
15:21:20 <tbarron> #vote yes
15:21:20 <tbarron> jungleboyj is going to change his vote
15:21:26 <bswartz> 2) is saves clients from having to make any queries before assigning access rules -- clients can simply express what they want and expect it to succeed
15:21:42 <jungleboyj> Holy lag.
15:21:55 <bswartz> tbarron: you're about 11 minutes behind the rest of us...
15:21:59 <vkmc_> Sketchy connection is sketchy
15:22:06 <bswartz> or else I'm 11 minutes in the future
15:22:18 <ganso> at least he tried
15:23:04 * tbarron is traveling very quickly atm
15:23:06 <bswartz> anyways this is what we agreed to in Barcelona and I'm wondering if anyone feels differently now or if anyone who wasn't there disagrees with the decision
15:23:38 <vponomaryov> bswartz: I think that silent skipping of a rule is bad user experience
15:23:42 <tbarron> backwards, apparently
15:23:44 * bswartz hears the doppler effect in tbarron's voice
15:24:12 <bswartz> vponomaryov: it's not skipping the rule
15:24:24 <bswartz> on some backends it may actually configure a rule on the storage controller
15:24:40 <bswartz> it's just that the rule won't matter because it will be impossible to talk to the share over that IP version at that time
15:24:44 <vponomaryov> bswartz: you propose to skip it where it is not supported
15:24:46 <zhongjun> 1)  If we get error status, it is still work:  when additional export locations are added later on, the rules can already exist and immediately start working at that time
15:25:04 <bswartz> later on when an export location is added, the rule should be enforced, so there is value in having it in the manila DB
15:25:29 <bswartz> what does it mean for the rule to have error status in that case?
15:25:46 <tbarron> we should refresh the access rules in ensure share then, b/c the backend may not have been able to implement it the first time
15:25:48 <vponomaryov> bswartz: "error" means "was not applied"
15:25:59 <bswartz> but it was applied
15:26:06 <bswartz> it doesn't ends up not mattering
15:26:31 <vponomaryov> bswartz: you are talking about those backends that are able to set ipv6 rules in general
15:26:32 <bswartz> it's like schrodinger's cat
15:26:33 <ganso> bswartz: this "conditional" behavior of "if it does make sense it is ok, but it if it does, should be enforced" may lead to complicated coding
15:26:39 <zhongjun> bswartz: error status means  the driver doesn't support ipv6 acl
15:26:50 <bswartz> you don't know if the rule is applied or not until you add an export location of the appropriate type
15:27:27 <bswartz> tbarron: yes I was going to mention that an upshot of this is that adding an export location will require an access rule update
15:27:40 <bswartz> zhongjun: that's precisely what I want to avoid
15:27:43 <ganso> bswartz: s/if it does make sense it is ok/if it does not make sense it is ok
15:28:05 <vponomaryov> bswartz: it is expected that we add ipv6 rules right afer we added appropriate export locations
15:28:18 <vponomaryov> bswartz: what is the use case to add rules beforehand?
15:28:27 <bswartz> IMO a user should not be able to percieve any difference between a backend that doesn't have ipv6 support and a backend which does have ipv6 support but not ipv6 export locations
15:28:54 <bswartz> because if they can, then we're looking at new capability bits
15:30:18 <bswartz> my whole goal here is to avoid an awkward transition from no ipv6 support to full ipv6 support as vendors take a long time to add this feature to their drivers
15:30:33 <zhongjun> bswartz: like the user access, user doesn't need to know a backend that doesn't have user access support
15:30:34 <bswartz> capability bits are ugly, optional features are ugly
15:30:49 * markstur sneaks in late
15:31:26 <ganso> zhongjun: does not need to, but is likely to get an error when adding a user access rule that will not work
15:31:27 <bswartz> zhongjun: I'm not sure what you mean -- backends are required to support user access (for CIFS) and we removed user access for other protocols because optional features are confusing and terrible
15:31:54 <tbarron> bswartz: so what does the end-user see, an export location that then doesn't work, right?
15:32:20 <bswartz> tbarron: no, my expectation is that everything will work fine
15:32:28 <bswartz> I'm not sure what you're getting at
15:32:50 <tbarron> bswartz: maybe i'm confused, but end user sees ipv6 access rule, but
15:32:57 <tbarron> ok, no ipv6 export location
15:33:08 <bswartz> if we do this properly, then from a user's perspective ipv6 will be a univerally supported feature, but most backends just won't happen to have any ipv6 export locations yet
15:33:33 <bswartz> and as vendors implement support, admins will be able to assign ipv6 export locations and the drivers will do the right thing
15:33:46 <tbarron> so end user doesn't open a ticket when she has a user vm with ipv6 capability b/c she doesn't see the export location
15:33:58 <tbarron> and doesn't attempt ipv6 mount
15:34:23 <bswartz> tbarron: the user will see the export location with a v4 address
15:34:26 * tbarron is just thinkiing this through from a 'have to support it' POV
15:34:55 <bswartz> if they want an ipv6 address then they should open a ticket and pressure the admin to get ipv6 exports added
15:35:34 <tbarron> user may bug cloud admin 'why isn't ipv6 location there'? and cloud admin will do RFE with backend supplier or distro but I guess that's OK
15:35:39 <bswartz> if the driver doesn't support ipv6 then that's between the admin and their driver vendor, which is where the pressure should come from
15:36:02 <ganso> bswartz: what you are describing is a behavior similar to when the user adds a rule that is in a different subnet than the exports. There is no error. The driver and backend do actually add the rule. But there may be backends that fail to do add ipv6 rules because they are not compatible.
15:36:06 <tbarron> distro will get some tickets on same, but probably not too bad
15:36:08 <ganso> bswartz: I believe ipv6 should behave in a similar way to what happens when you try to add a user rule to a share that does not support it, even though there will be no "ipv6" access rule type being selected, will be "ip"
15:36:13 <bswartz> the right people to yell at vendors are the customers of storage -- the openstack admins
15:37:15 <bswartz> tbarron: right now they would be yelling at *us* (the manila community) for not supporting this feature at all
15:37:36 <zhongjun> bswartz: In some backend, we can support user access in both NFS and CIFS
15:37:38 <ganso> I think it is hard to design a behavior that we may not be capable of supporting from all vendors and get inconsistent behavior
15:37:58 <bswartz> ganso: this was the point of the discussion in barcelona
15:38:16 <bswartz> ipv6 isn't something that some vendors can't support -- it's just a matter of when support is added
15:38:33 <bswartz> there's no question that eventually every driver will have ipv6 support
15:38:42 <ganso> bswartz: yes but they may differ on how it is supported
15:39:07 <bswartz> ganso: it's not that complicated
15:39:23 <bswartz> is there any vendor you know of that can't implement a list of IPv6 access rules?
15:40:10 <ganso> bswartz: I can't comment on details, but I know of backends that cannot add IPv6 access rules if the export is IPv4
15:40:23 <bswartz> getting back to my point, since it will be a universal feature, I'd like to spare the users a bad user experience and just start with a design that looks like the ultimate design where ipv6 is universally supported
15:40:51 <bswartz> ganso: presumably those share would always be v4-only or v6-only though right?
15:40:58 <ganso> bswartz: yes
15:41:16 <bswartz> in which case the unsupported rules can be safely ignored and nobody will know the difference
15:41:37 <ganso> bswartz: but ignored will mean that it will be added in manila with "active" status
15:41:39 <zhongjun> ganso: Our backends that can add IPv6 access rules if the export is IPv4
15:42:03 <bswartz> this is only a really interesting technical problem when shares support both IP versions
15:42:26 <zhongjun> ganso: The share export IP and  share ACL can be spearated
15:42:48 <zhongjun> separate
15:43:04 <ganso> zhongjun: by "our backends" you mean this behavior is enforced at the share manager?
15:43:20 <bswartz> the key here is that admins ultimately have control over export locations (for DHSS=false drivers) and can easily arrange for the right thing to happen
15:43:51 <bswartz> but I always prioritize the needs of the users over the needs of the admins/developers which is why I favor this scheme
15:44:07 <bswartz> yes it's slightly weird, but only during the transition
15:44:24 <bswartz> eventually all drivers will have ipv6 support, and ipv6 export locations will be common
15:45:15 <bswartz> I don't want end users to have to suffer through the transition by checking which shares have which export locations types and then only assigning relevant access rules
15:45:38 <zhongjun> ganso: I mean it can support in driver about  driver can add IPv6 access rules if the share export location is IPv4
15:46:37 <gouthamr> thinking in perspective of the code, this seems possible
15:46:46 <bswartz> so I'd like to get a conclusion on this topic and I've heard a few difference concerns raised
15:46:54 <gouthamr> with the new access rules interface, drivers can update access rules..
15:47:27 <bswartz> does anyone really feel like it's important to have rules in an error state if they are in reality not applied, even though the user can't tell the difference?
15:47:39 <gouthamr> so they don't need to ignore and set thngs to "active". they can leave the rule in "queued" state until someday an ipv6 export location shows up?
15:47:44 <gouthamr> why "error"?
15:48:05 <ganso> gouthamr: really? any queued rule will be sent to the driver
15:48:16 <bswartz> as long as we have a way to ensure that they are applied by the time a user would be able to notice (such as adding a new export location)
15:48:22 <gouthamr> ganso: sure, ignore and return queued_to_apply..
15:48:22 <ganso> gouthamr: then the result of that invocation will lead either to error or active
15:48:29 <ganso> gouthamr: oh, right!
15:48:32 <bswartz> ah, ganso you bring up an important point
15:48:34 <ganso> gouthamr: the return values
15:48:49 <bswartz> I didn't get to the this important detail yet
15:48:56 <ganso> gouthamr: that error/active was the old design
15:49:20 <zhongjun> How about vote for this
15:49:39 <gouthamr> yep.. we changed the rules interface, specially to accommodate access_keys for CEPHFS and then added a way to communicate per-rule status
15:49:39 <bswartz> assuming we agree on what I specified, the way to make it work is to add code to drivers to simply skip over ipv6 rules in the update_access code paths, and the drivers will remove that code when real ipv6 access is added
15:50:12 <gouthamr> i'd vote on leaving rules queued and emitting user messages (if one already doesn't exist for the rule in question) when something is amiss..
15:50:44 <bswartz> gouthamr: won't that cause the manager to spam the driver with update calls?
15:51:39 <gouthamr> :|
15:52:16 <gouthamr> we can think of a way to stop asking of updates for ipv6 rules unless such an update is initiated by ensure_share
15:52:17 <ganso> gouthamr: bswartz has a point...
15:52:17 <gouthamr> ?
15:52:22 <bswartz> I'm in favor of "active"
15:52:43 <bswartz> and then remembing to push an update when any export location is added
15:52:52 <bswartz> that would be part of ensure share though
15:53:12 <ganso> bswartz: for backends that cannot add the rule, and will simply ignore, thus "active", if the ipv6 export is later added, the "active" status will not make sense, the rule will need to be removed and added back
15:53:33 <bswartz> ganso: I don't agree
15:53:42 <bswartz> the rule will be in manila's DB the whole time
15:54:03 <bswartz> the driver just needs to send it to the backend before the v6 export location is added
15:54:18 <bswartz> that's a driver issue which should be hard to deal with
15:54:20 <ganso> bswartz: "remembering to push an update when any export location is added" is what I would categorize as "complicated code logic". I understand that you want user experience to be as simple as possible, but I think the code should be kept simple as well
15:55:22 <bswartz> both would be idea
15:55:24 <bswartz> ideal*
15:55:33 <bswartz> but if we have to choose one I'd favor the user experience
15:55:45 <bswartz> anyways I think this is less complicated than you think
15:56:14 <bswartz> it's just passing the current list of access rules to any method which is allowed to return a new export location
15:56:24 <bswartz> and adding tests for this particular scenario
15:57:04 <bswartz> actually the adding tests part is not easy >_<
15:57:16 <bswartz> so scratch that
15:57:24 <bswartz> but the coding part is not hard
15:58:30 <ganso> bswartz: well, we are ok with making some compromises, like going back to "recovery mode" in this situation. We kinda got rid of this with the new access rules design
15:58:41 <ganso> bswartz: s/well, we are ok/well, if we are ok
15:58:59 <bswartz> yes recovery mode should be the default IMO
15:59:27 <bswartz> the other modes were just for drivers with severely limited backends like the ceph one which couldn't implement recovery mode efficiently
15:59:38 <bswartz> every other one can to my knowledge
16:00:03 <bswartz> also there was some hope that ceph would get better in this regard
16:00:04 <gouthamr> time check
16:00:19 <bswartz> gah
16:00:24 <bswartz> okay we're out of time
16:00:32 <bswartz> I still feel strongly about my position
16:00:49 <bswartz> we can continue discussing in channel if you all don't agree
16:01:10 <bswartz> thanks to gouthamr for filling in that etherpad while we argued
16:01:22 <bswartz> please sign of up reviews that you're doing
16:01:26 <bswartz> so we know where there are holes
16:01:32 <bswartz> that's all for today
16:01:37 <bswartz> #endmeeting