#openstack-meeting log

22:01:59 <kevinbenton> #startmeeting neutron_drivers
22:02:00 <openstack> Meeting started Thu Mar 30 22:01:59 2017 UTC and is due to finish in 60 minutes.  The chair is kevinbenton. Information about MeetBot at http://wiki.debian.org/MeetBot.
22:02:01 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
22:02:04 <openstack> The meeting name has been set to 'neutron_drivers'
22:02:29 <kevinbenton> #topic meeting time
22:02:40 <kevinbenton> armando has disappeared
22:03:05 <mlavalle> he is in the Neutron channel
22:03:48 <kevinbenton> amotoki: going any earlier around this time is too early for you, correct?
22:04:06 <kevinbenton> amotoki: we would need to go at least 8 hours backwards?
22:04:13 <kevinbenton> backwards == earlier
22:04:20 <amotoki> kevinbenton: 7 or 8 hours
22:04:43 <ihrachys> which is fine by me ;)
22:04:51 <kevinbenton> and I think 8AM was an issue for Armando
22:04:56 <kevinbenton> 8AM PST
22:05:24 <amotoki> 6 hours earlier than now.
22:05:27 <mlavalle> On Thursday's I chair the L3 meeting at 1500UTC, that is my only constraint
22:05:34 <ihrachys> 6h is 9am
22:06:01 <kevinbenton> so we would need either 1400UTC on Thu or 1500UTC otherwise
22:06:07 <kevinbenton> amotoki: or is 1500UTC too late?
22:06:14 <amotoki> no
22:06:19 <amotoki> it is 12am
22:06:32 <amotoki> I am okay with 16UTC too
22:06:33 <mlavalle> kevinbenton: 1500 UTC doesn't work form me
22:06:42 <kevinbenton> mlavalle: right, we would change the day
22:06:51 <mlavalle> kevinbenton: perfect
22:06:58 <kevinbenton> let's come back to this once armax is back
22:07:18 <kevinbenton> #topic RFE's
22:07:30 <kevinbenton> i think we're getting close to the end of the list
22:07:32 <kevinbenton> #link #link https://bugs.launchpad.net/neutron/+bugs?field.status%3Alist=Triaged&field.tag=rfe
22:07:34 <kevinbenton> #link #link https://bugs.launchpad.net/neutron/+bugs?field.status%3Alist=Triaged&field.tag=rfe
22:07:35 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bugs?field.status%3Alist=Triaged&field.tag=rfe
22:07:49 <kevinbenton> paste disaster :)
22:08:15 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1633280
22:08:16 <openstack> Launchpad bug 1633280 in neutron "[RFE]need a way to disable anti-spoofing rules and yet keep security groups" [Wishlist,Triaged]
22:08:23 * ihrachys sets some RFEs to Triaged ;)
22:08:28 <armax> yello
22:08:29 <kevinbenton> I reckon we should transition this one to incomplete?
22:08:45 <kevinbenton> armax: hello!
22:08:58 <ihrachys> kevinbenton: yes, to signal we wait on the answert
22:08:59 <armax> sorry I am late
22:09:06 <kevinbenton> armax: at end of meeting we are going to try to reschedule drivers so get your calendar ready
22:09:32 <armax> aye
22:09:42 <armax> at the moment my calendar is a huge mess
22:09:46 <armax> you don’t wanna know
22:09:49 <armax> anyhow
22:09:50 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1639566
22:09:50 <openstack> Launchpad bug 1639566 in neutron "[RFE] Add support for local SNAT" [Wishlist,Triaged]
22:09:51 <armax> regarding bug
22:09:52 <armax> 1633280
22:09:58 <kevinbenton> #undo
22:09:59 <openstack> Removing item from minutes: #link https://bugs.launchpad.net/neutron/+bug/1639566
22:10:08 <kevinbenton> armax: go ahead
22:10:11 <armax> yeah, I was gonna say incomplete sounds good :)
22:10:21 <kevinbenton> armax: ok :)
22:10:23 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1639566
22:10:24 <armax> I mean if the use case is unclear
22:10:28 <armax> we can’t do much about it
22:10:59 <amotoki> me too on use case. I wonder allowed-address-pair does not work as kevin mentioned too
22:11:19 <kevinbenton> so for DVR SNAT at compute I think we are going to need some kind of devref or something to see how it could be done in an uninvasive fashion
22:11:28 <armax> regarding bug 1639566 I would rather not conflate the fast exist and the distrbuted snat case
22:11:28 <openstack> bug 1639566 in neutron "[RFE] Add support for local SNAT" [Wishlist,Triaged] https://launchpad.net/bugs/1639566
22:11:36 <kevinbenton> right
22:11:42 <kevinbenton> fast exit is not the same thing
22:11:43 <armax> because they are not the same thing
22:11:52 <armax> as for the distributed SNAT
22:12:06 <armax> kevin and I ‘talked’ about this
22:12:09 <armax> talked as in argued
22:12:20 <mlavalle> LOL
22:12:44 <armax> from the comments on the bug report
22:12:52 <armax> it seems the submitter has code he put together
22:12:52 <kevinbenton> well i think we agree that the use case is clear but the implementation might be a mess with the current code
22:12:53 <ihrachys> I recollect there was some fist fight prev meeting
22:13:06 <kevinbenton> armax: do you agree?
22:13:07 <armax> kevinbenton is warm to the idea, I am not
22:13:13 <armax> kevinbenton: on that I agree
22:13:36 <kevinbenton> armax: but you're only against it because of the implementation detail questions, not because of the use case
22:13:38 <armax> the problem stems from the fact that the code integration may look messy or based off an old version of neutron
22:13:43 <armax> well
22:13:48 <armax> not just that to be honest
22:14:27 <armax> I think this boils down to the nature of recommendation one makes to solve the SNAT problem
22:14:51 <armax> and the SPOF that comes with it
22:14:58 <armax> there’s more than one solution
22:15:01 <kevinbenton> also resource utilization
22:15:02 <armax> no perfect one
22:15:18 <kevinbenton> local SNAT is the only way to avoid bottlenecks
22:15:22 <armax> over the various iterations there was large consensus to stick to a single recommendation
22:15:25 <armax> which was HA+DVR
22:15:30 <mlavalle> the SPOF being the local SNAT?
22:15:35 <armax> mlavalle: right
22:15:43 <kevinbenton> armax: what?
22:15:51 <armax> what what?
22:15:56 <kevinbenton> armax: if local SNAT fails, it's only for the instances on that same node
22:16:00 <kevinbenton> armax: which would have failed as well
22:16:01 <armax> correct
22:16:11 <kevinbenton> shared fate
22:16:33 <armax> I mean you can address the SPOF by either distributing the SNAT over the compute nodes involved or the network nodes involved
22:16:53 <armax> the failure domain is still different between the two
22:17:21 <armax> in one case it affects all VMs behind the routers running on the network node affected
22:17:28 <kevinbenton> right, with HA you depend on HA and compute node not failing
22:17:38 <kevinbenton> with local SNAT, you just depend on compute node not failing
22:17:39 <armax> in the other it affects all the VMs behind running the compute node affected
22:18:29 <kevinbenton> the other issue is bandwidth utilization efficiency
22:18:42 <kevinbenton> which is really poor with routing to a network node
22:18:44 <armax> I’d say let’s not spend the entire hour on this bug
22:18:54 <armax> bottom line is:
22:19:06 <armax> if the author of the ticket feels like proposing the change against master
22:19:17 <armax> we can look at the damage and assess what to do
22:19:18 <kevinbenton> ok
22:19:39 <armax> past experience tells me this is going to be a full bag of hairy <add your choice of word>
22:20:01 <armax> so I feel it’s gonna be a frustrating experience for everybody involved
22:20:04 <kevinbenton> ok, i left a comment
22:20:31 <armax> but I am usually pessimistic so don’t take me too literally
22:21:31 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1649909
22:21:32 <openstack> Launchpad bug 1649909 in neutron "[RFE] Domain-defined RBAC" [Wishlist,Triaged]
22:21:41 <armax> kevinbenton: so long as you’re aware that throwing a patch over the wall is only the first femto step
22:22:11 <kevinbenton> based on the feedback in that patch, it sounds like domain_ids are effectively static
22:22:21 <armax> and that to see the whole thing through the finishing line is a giant effort
22:22:43 <armax> we should warn the contributor before he busts his rearhand
22:23:26 <kevinbenton> armax: please comment on the RFE if you don't think my comment communicated that well enough
22:23:58 <armax> I am
22:24:29 <kevinbenton> is anyone against https://bugs.launchpad.net/neutron/+bug/1649909
22:24:29 <openstack> Launchpad bug 1649909 in neutron "[RFE] Domain-defined RBAC" [Wishlist,Triaged]
22:24:48 <amotoki> looks good
22:25:14 <kevinbenton> we basically need a new column
22:25:40 <ihrachys> +, I think we could unblock that without a spec or anything and just allow the contributor to tinker
22:25:58 <ihrachys> this is ofc a new extension, but we know how to do them right now
22:26:15 <kevinbenton> +1
22:26:24 <mlavalle> looks good to me as well
22:26:38 <kevinbenton> ihrachys: can you trigger the magic state machine to approve it? :)
22:26:39 <mlavalle> new colum in networkrbacs, right?
22:26:50 <kevinbenton> mlavalle: yes
22:26:56 <ihrachys> kevinbenton: sure, I will consult the Old Books first
22:26:58 <kevinbenton> mlavalle: we should probably do it for QoS too
22:27:09 <mlavalle> ok
22:27:09 <kevinbenton> since the logic will be the same and they use the same API
22:27:19 <kevinbenton> #link https://www.youtube.com/watch?v=xsZSXav4wI8
22:27:20 <amotoki> new column for RBAC table (perhas either type or domain_id)
22:27:23 <kevinbenton> spacex rocket launch
22:27:26 <kevinbenton> :)
22:27:52 <mlavalle> ah live!
22:28:10 <mlavalle> is it the re-used rocket?
22:29:03 <kevinbenton> yep
22:29:05 <kevinbenton> first one
22:29:08 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1650678
22:29:08 <openstack> Launchpad bug 1650678 in neutron "[RFE] Allow specifying dns_domain when creating a port" [Wishlist,Triaged]
22:29:19 <kevinbenton> so mlavalle, you're familiar with the dns code :)
22:29:25 <kevinbenton> how difficult would that be to implement
22:29:26 <mlavalle> The submitter clarfied his use case
22:29:36 <kevinbenton> it seems like a clear use case at this point
22:29:47 <mlavalle> he wants all vm's on a provider network
22:29:57 <mlavalle> so it makes sense to allow dns_domain by port
22:30:07 <mlavalle> we do it for fips already
22:30:21 <mlavalle> so it is not a very big deal
22:30:39 <amotoki> my thought is same. I don't see any negative side so far
22:30:49 <kevinbenton> do we need a new DB column to store this?
22:31:01 <kevinbenton> or is it just a matter of carrying info from the API straight to the DB
22:31:21 <mlavalle> we already have a table to carry the ports dns informatio
22:31:26 <mlavalle> so we can add it there
22:31:47 <kevinbenton> ok
22:31:54 <mlavalle> and then update the interaction with the external DNS driver to take that into consideration
22:32:17 <kevinbenton> so i think we can approve the RFE, but is the submitter going to work on it?
22:32:19 <mlavalle> The pots dns_domain would have priority over the network's
22:32:41 <mlavalle> we can ask him
22:33:14 <ihrachys> armax: what's the final state of a RFE bug after rfe-approved is set? it's not clear from the docs.
22:33:17 <kevinbenton> if not, maybe this would be a good feature for a newer contributor to pick up since it sounds relatively isolated
22:33:33 <mlavalle> yep and I can supervise
22:33:40 <kevinbenton> let's set to rfe-approved for this one as well
22:34:20 <ihrachys> +
22:34:34 <armax> hang on
22:35:11 <armax> got distracted
22:35:13 <armax> which bug?
22:35:30 <armax> oh
22:35:35 <ihrachys> I had a question about rbac https://bugs.launchpad.net/neutron/+bug/1649909
22:35:35 <openstack> Launchpad bug 1649909 in neutron "[RFE] Domain-defined RBAC" [Wishlist,In progress]
22:35:52 <kevinbenton> ihrachys: go ahead
22:35:53 <ihrachys> and the proposal is to approve dns_domain one https://bugs.launchpad.net/neutron/+bug/1650678
22:35:53 <openstack> Launchpad bug 1650678 in neutron "[RFE] Allow specifying dns_domain when creating a port" [Wishlist,Triaged]
22:35:53 <armax> ihrachys: once an RFE is approved
22:36:06 <armax> we create a blueprint and we start tracking the effort
22:36:22 <ihrachys> armax: who's creating it?
22:36:38 <armax> ihrachys: it’s in here
22:36:39 <armax> https://docs.openstack.org/developer/neutron/policies/blueprints.html#neutron-request-for-feature-enhancements
22:37:15 <ihrachys> "A member of the Neutron release team (or the PTL)"
22:37:15 <ihrachys> ok
22:37:17 <armax> a member of the release team or drivers team
22:37:21 <armax> but I can do it
22:37:37 <armax> leave it with me
22:37:44 <ihrachys> armax: and so we keep the bug in Triaged once we set rfe-approved?
22:38:21 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1658682
22:38:21 <openstack> Launchpad bug 1658682 in neutron "port-security can't be disabled if security groups are not enabled" [Wishlist,Triaged]
22:38:31 <armax> ihrachys: it doesn’t matter
22:38:45 <armax> the bug will go to in progress as soon as patches are being filed against
22:39:23 <kevinbenton> it's not clear to me what the ask is here
22:39:34 <kevinbenton> is it just to allow disabling port security if security groups are shut off?
22:39:34 <armax> personally here I think it’s time to kill the config option
22:39:40 <armax> enable_security_group
22:39:49 <armax> it has outlived its purpose
22:39:53 <kevinbenton> armax: it sounds like that's the opposite of what they want
22:40:00 <armax> tough luck
22:40:18 <armax> disabling security groups globally is an abuse
22:40:33 <armax> and it was a stop gap when nova-net was the 800 lbs gorrila
22:40:36 <armax> gorilla
22:40:51 <ihrachys> well it would still be a conforming implementation; it's just that we may not want to support that for ml2
22:40:55 <armax> today we must API-drive all the things
22:41:05 <amotoki> port-security and the config option conflict. IIRC the option was introduced when a security group feature was introduced. we had enough confident on that
22:41:30 <kevinbenton> then i think we should close this RFE as "won't fix"
22:41:42 <kevinbenton> because any fix will be invalid right when we remove the option to disable it
22:41:46 <kevinbenton> it == security groups
22:42:02 <armax> kevinbenton: it depends if you agree with me
22:42:25 <armax> I mean, I don’t think that a global flag to disable security is a reasonable option anymore
22:42:58 <amotoki> +1 to Won't fix. also do we deprecate enable_sg option?
22:43:10 <kevinbenton> yeah, from a cross cloud behavior standpoint disabling SGs isn't good
22:43:22 <armax> amotoki: deprecating the option is gonna be interesting
22:43:48 <kevinbenton> so I'm okay with "Won't Fix"
22:43:52 <armax> because the alternative once the option goes away is gonna be use the API to disable security groups on your port
22:44:27 <kevinbenton> i suspect this will bring back the "allow changing default security group" discussion :)
22:44:31 <armax> which is something the admin can’t be involved in
22:45:04 <armax> that’s a good point
22:45:07 <armax> the problem is
22:45:10 <kevinbenton> ok, armax please mark Won't Fix
22:45:15 <armax> the answer to that is FWaaS
22:45:22 <ihrachys> are we ok silently enabling that for all ports on upgrade? sounds like a tough thing to do for ops.
22:45:23 <armax> but there’s no model to relax security then
22:45:41 <armax> kevinbenton: hang on, let’s discuss a bit more about this
22:45:54 <armax> kevinbenton: that’s probably an excellent topic for the forum
22:45:56 <amotoki> ihrachys: good point
22:45:58 <armax> wink wink
22:46:04 <armax> make note
22:46:21 <kevinbenton> #action kevinbenton to propose forum topic about security groups
22:46:46 <armax> we should probably mumble on this one a tad longer
22:46:48 <ihrachys> that note will die in vain here
22:46:48 <amotoki> at least users can know whether sg is enabled or not through extension list
22:47:11 <kevinbenton> amotoki: true, it is discoverable
22:47:13 <armax> ihrachys: will or will not?
22:47:51 <ihrachys> it probably will, no one follows up on actions in irc logs :)
22:48:30 <armax> ihrachys: come on, have faith
22:48:35 <armax> :)
22:48:57 <ihrachys> shall we move on then?
22:49:00 <kevinbenton> yes
22:49:14 <armax> yeah, this needs more thinking
22:49:52 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1658682
22:49:52 <openstack> Launchpad bug 1658682 in neutron "port-security can't be disabled if security groups are not enabled" [Wishlist,Triaged]
22:50:00 <ihrachys> kevinbenton: oops?
22:50:11 <ihrachys> should be mtu right
22:50:17 <kevinbenton> yes
22:50:18 <armax> muuu
22:50:23 <kevinbenton> #link https://bugs.launchpad.net/neutron/+bug/1671634
22:50:23 <openstack> Launchpad bug 1671634 in neutron "[RFE] Allow to set MTU for networks" [Wishlist,Triaged] - Assigned to Ihar Hrachyshka (ihar-hrachyshka)
22:50:29 <kevinbenton> +1 from me on this one
22:50:40 <ihrachys> it's my baby so I better listen to others
22:50:49 <kevinbenton> Ihar removed the column, he can re-add it :)
22:50:53 <ihrachys> tl;dr allow to POST mtu on networks
22:51:00 <kevinbenton> excercise our migration scripts
22:51:04 <armax> hang on
22:51:08 <ihrachys> there are follow up items in MTU world that are not covered by that RFE
22:51:10 <amotoki> me too. one thing to note is we need to check MTU specified to user should be smaller than system max
22:51:16 <armax> you want to allow POST to tenants?
22:51:30 <ihrachys> amotoki: that's ofc a must
22:51:37 <armax> to me this is a huge breach of abstraction
22:51:38 <ihrachys> armax: yes, as long as you go down the max
22:52:00 <kevinbenton> armax: MTUs are directly exposed to tenants
22:52:08 <ihrachys> armax: abstraction as in - you don't know what mtu you will get?
22:52:21 <armax> ihrachys: you have not elaborated why this is useful
22:52:48 <ihrachys> armax: 2nd sentence and beyond
22:52:52 <armax> why would a user care?
22:52:56 <ihrachys> in lp
22:53:09 <amotoki> even if we don't allow users to specify MTU, user can set MTU manually if they want to use larger MTU (something like 8950)
22:53:20 <armax> what are these custom workloads?
22:53:40 <ihrachys> two cases 1) workload assumes some MTU for its unknown reasons (maybe their VNF is picky); 2) users want to get the same MTU for all its networks
22:53:40 <kevinbenton> so using an MTU larger than 1500 on the internet can bring pain
22:53:43 <armax> don’t get me wrong
22:53:58 <amotoki> sometimes we cannot get full throughput with 1500 MTU
22:53:58 <armax> I am not reluctant to the idea
22:54:13 <kevinbenton> some people don't want web servers to have a 8000 MTU
22:54:19 <armax> I am just thinking that more choice and traspanrency is not necessarily a good thing
22:54:28 <amotoki> but for internet connection 1500 MTU is needed, so we cannot advertise larger MTU thru dhcp
22:54:29 <kevinbenton> because if there are dropped ICMP size exceeded in the network, it leads to bad performance
22:54:49 <kevinbenton> armax: there is no more transparency
22:54:52 <kevinbenton> armax: same as before
22:54:58 <kevinbenton> MTU is user visible
22:55:02 <armax> if I am the only one on the fence here, than it’s fine
22:55:02 <ihrachys> custom workloads being e.g. something VNF-y that chews frames in some hardware offloaded way that relies on specific limitations of NICs exposed into it.
22:55:05 <armax> kevinbenton: true
22:55:14 <armax> but the user can’t do anything to it
22:55:15 <ihrachys> amotoki: we can, l3 layer will deal with fragmentation
22:55:16 <armax> right?
22:55:35 <kevinbenton> armax: yes, that's the issue. we force MTU on all users
22:55:45 <ihrachys> armax: I hear from customers the same "silly" question - how do I get 1500 for all my networks?
22:55:47 <armax> it’s mainly informational in case the guest needs to do something related to the MTU
22:55:49 <kevinbenton> armax: and are even trying to get rid of the ability to stop advertising
22:56:06 <kevinbenton> armax: every guest needs to use the correct MTU
22:56:07 <amotoki> ihrachys: ah, router reassembles packets to smaller MTU if larger packets come in?
22:56:17 <ihrachys> armax: it's not only informational. l3 agent will fragment incoming traffic into chunks as per calculated MTU
22:56:28 <ihrachys> if your instance is not ready to consume those, tough life
22:56:38 <kevinbenton> ihrachys: fragmentation sucks if it happens somewhere else in the network
22:56:42 <armax> L3 agents is not something the user even see
22:56:49 <ihrachys> amotoki: yes, it does fragment
22:56:55 <kevinbenton> ihrachys: see my point about dropped ICMP messages
22:57:25 <ihrachys> armax: right. neither they see traffic fragmented using MTU that is larger than you configured your instance for :)
22:57:40 <armax> I suppose as a user and owner of a logical network I may want to control the whole thing, MTU included
22:57:53 <kevinbenton> yes
22:57:55 <armax> but then why was it admin only in the first place?
22:58:10 <kevinbenton> we need to move on to figure out meeting time for next week
22:58:18 <ihrachys> because it allowed to go beyond what infrastructure supports
22:58:26 <ihrachys> ok let's discuss time
22:58:26 <armax> kevinbenton: actually we have time
22:58:32 <armax> because I am gonna have to skip the next two anyway
22:58:49 <kevinbenton> armax: you're permanently skipping the rest?
22:58:59 <kevinbenton> if not, you better provide feedback
22:59:02 <kevinbenton> #topic meeting time
22:59:05 <armax> no, I mean I can’t attend the next two occurrences
22:59:25 <kevinbenton> 1400 UTC on thursday or 1500 UTC another day
22:59:29 <kevinbenton> armax: do either of those work?
22:59:34 <kevinbenton> armax: for you
22:59:41 <armax> right now I can do 11am PDT
22:59:58 <kevinbenton> not even close
23:00:11 <kevinbenton> can you do any early mornings any day of the week?
23:00:18 <armax> nah
23:00:33 <kevinbenton> ok, then i think we're at a deadlock and will need to keep the current time for now
23:00:38 <armax> this early is difficult for me
23:00:41 <kevinbenton> ihrachys: can you survive for now?
23:00:49 <ihrachys> survive is a good word
23:00:50 <armax> I have other meetings or have to drop my daugther to school
23:00:53 <armax> and I can’t type
23:01:10 <ihrachys> I am used to survival, since Europe.
23:01:14 <kevinbenton> ok
23:01:25 <armax> morning slots are pretty much booked for me at the moment
23:01:29 <kevinbenton> so for now i think the only time that people can all show up is now
23:01:34 <armax> like 8-10am
23:01:34 <ihrachys> ok
23:01:36 <armax> local time
23:01:38 <kevinbenton> #info meeting time to stay the same
23:01:47 <kevinbenton> #endmeeting