#openstack-neutron log

14:00:49 <ralonsoh> #startmeeting neutron_drivers
14:00:49 <opendevmeet> Meeting started Fri Apr 21 14:00:49 2023 UTC and is due to finish in 60 minutes.  The chair is ralonsoh. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:49 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:49 <opendevmeet> The meeting name has been set to 'neutron_drivers'
14:00:50 <ralonsoh> hello
14:01:03 <lajoskatona> o/
14:01:16 <slaweq> o/
14:01:35 <rubasov> o/
14:02:17 <ralonsoh> ok, let's start
14:02:18 <obondarev> o/
14:02:24 <sahid_> o/
14:02:30 <ralonsoh> first topic is
14:02:34 <ralonsoh> #link https://bugs.launchpad.net/neutron/+bug/2013228
14:02:39 <ralonsoh> [rfe] Non-admin users unable to create SR-IOV switch dev ports
14:02:44 <ralonsoh> I'll present it
14:02:57 <ralonsoh> the idea, discussed during this PTG and the previous one
14:03:04 <ralonsoh> is to have another port extension
14:03:20 <ralonsoh> a flag, that will enable/disable the HW offload
14:03:36 <ralonsoh> instead of writing in the port binding, that is something Neutron shouldn't do
14:03:59 <ralonsoh> any backend supporting HWOL, will read it and create the corresponding interface
14:04:16 <ralonsoh> (that means communication with Nova, that needs to support this extension)
14:04:55 <ralonsoh> so that's the feature. That will require a spec because: we create a new API extension, DB changes, changes in 2 backends and Nova-Neutron sync
14:05:38 <lajoskatona> nova-spec also?
14:05:44 <ralonsoh> I don't think so
14:05:47 <lajoskatona> akc
14:05:49 <lajoskatona> ack
14:05:56 <ralonsoh> but this is something I can check with Nova folks
14:07:20 <sahid_> I may not understand all, but insn't that somehing whcih should be controled by nova, having a port created using HW offload?
14:07:36 <ralonsoh> no, the port is created by Neutron
14:07:41 <ralonsoh> the DB port
14:07:53 <ralonsoh> Nova, reading the Neutron port, creates the L1 port
14:08:17 <ralonsoh> ah, this flag will be by default admin only but configurable via policies
14:08:17 <slaweq> so currently this information is in binding profile and that's how nova and other backends expects it, right?
14:08:24 <ralonsoh> yes
14:09:00 <ralonsoh> well, the backend is controlled by Neutron, so that is something to be changed in our side
14:09:16 <ralonsoh> the only "external" issue is the info passed to Nova
14:09:30 <ralonsoh> to pass to os-vif the correct way to create the L1 port
14:09:40 <slaweq> why can't we add new extension to add new port's attribute for that so users can use it but then internally translate it into binding profile and send to e.g. nova?
14:09:42 <slaweq> that way impact of the change would be smaller, am I correct?
14:10:20 <ralonsoh> right, but the secondary goal of this feature was to avoid writing in the por tbinding dict
14:10:28 <ralonsoh> something that should be done only by nova
14:10:30 <ralonsoh> but
14:10:38 <ralonsoh> we can implement that in two phases
14:10:46 <ralonsoh> 1) add the port extension + port binding
14:11:07 <ralonsoh> 2) in the next release, if nova implements the port extension, remove the port binding stuff
14:11:24 <slaweq> yeah, IIUC what You actuallywant to do are 2 different things
14:11:33 <ralonsoh> yes
14:11:37 <slaweq> 1. new extension to allow users setting this HWOL flag and
14:11:45 <slaweq> 2. change/improve communication with nova
14:11:47 <ralonsoh> yes
14:12:00 <ralonsoh> and also allow non-admin users to create HWOL ports
14:12:13 <ralonsoh> **if** the admin allows that in the policies
14:12:24 <slaweq> yes, but that's kind of related to 1)
14:12:26 <mlavalle> and without touching the port binding
14:12:30 <ralonsoh> yes
14:13:56 <slaweq> yes, but that's kind of related to 1)
14:14:02 <mlavalle> honestly, the rfe is not as clear as what we've discussing here
14:14:15 <ralonsoh> no, it isn't
14:14:24 <lajoskatona> agree
14:14:36 <obondarev> same feeling
14:14:39 <ralonsoh> if approved, I'll add a comemnt of what should be implemented and what the spec will contain
14:14:52 <mlavalle> right, I was about to suggest that
14:15:01 <mlavalle> to make clear what we understood
14:15:06 <ralonsoh> I prefer no to change the description, that is not mine
14:15:15 <mlavalle> that's fine
14:15:22 <slaweq> ++
14:15:24 <lajoskatona> shall we expect johnthetubaguy to work on this?
14:15:29 <ralonsoh> no
14:15:30 <mlavalle> just in a coment leave in black and white our understanding
14:15:35 <ralonsoh> but I can ask him
14:15:49 <sahid_> why this was admin only from the beginning? something was just missing or it was legitimate?
14:16:00 <ralonsoh> port binding is admin only
14:16:03 <ralonsoh> and not configurable
14:16:44 <mlavalle> so who would write the spec?
14:16:58 <ralonsoh> I'll do
14:17:05 <ralonsoh> and I'll implement the feature
14:17:22 <obondarev> +1 then :)
14:17:24 <ralonsoh> but if you agree on the description given here
14:17:27 <slaweq> so I'm +1 for this RFE but for point 1) for now
14:17:38 <ralonsoh> ok, I'll add the description of the 2 phases
14:17:42 <slaweq> I think that neutron-nova thing is another story
14:17:52 <ralonsoh> that will be easy to implement
14:18:10 <slaweq> I'm also fine with that but this should probably be discussed separately in nova-neutron session probably
14:18:14 <ralonsoh> for sure
14:18:32 <ralonsoh> we can change the Neutron code isolating the neutron-nova communication
14:20:10 <ralonsoh> any other question?
14:20:30 <slaweq> nothing from me
14:20:41 <lajoskatona> not from me
14:20:46 <mlavalle> no, I think enabling users to create hwol ports, under controls, is a worthy cause
14:20:47 <lajoskatona> I agree with this plan
14:20:50 <ralonsoh> then please vote for this RFE
14:21:03 <mlavalle> +1
14:21:03 <lajoskatona> +1 with the  spec
14:21:18 <mlavalle> yeap, spec is needed
14:21:50 <ralonsoh> slaweq, obondarev ?
14:21:56 <obondarev> +1
14:22:02 <slaweq> +1
14:22:13 <ralonsoh> so approved with spec, including the description done in this conversation (and the 2 phases plan)
14:22:19 <ralonsoh> thank you all
14:22:24 <ralonsoh> next one
14:22:34 <ralonsoh> #link https://bugs.launchpad.net/neutron/+bug/2016197
14:22:39 <ralonsoh> neutron can create port from network which has no subnet
14:22:40 <ralonsoh> related to
14:22:45 <ralonsoh> #link https://bugs.launchpad.net/neutron/+bug/2016198
14:23:15 * sahid_ checked the spec to this why it has been implemented in that way considering admin only, but no mentions of that
14:24:06 <ralonsoh> OK, Liu is not here but I'll start the conversation
14:24:26 <ralonsoh> regardless of seeing the problem in lp#2016198
14:24:47 <ralonsoh> I don't think we should block the creation of a port in a network without subnets
14:25:10 <slaweq> if we already have it like that, I don't think we can remove it as it would be backward incompatible
14:25:11 <slaweq> and we can break someone's use case even if we don't know about it
14:25:18 <ralonsoh> although, being said, I don't see any useful thing
14:25:40 <ralonsoh> yeah, that's the point, this is something that the current API allows
14:25:48 <ralonsoh> to be honest I don't see any usecase
14:25:53 <ralonsoh> but is allowd
14:25:57 <slaweq> subnet is just our internal thing used for IPAM - network and port are things which IMO may be treated as representation of things from "physical" world
14:25:58 <sahid_> removing this will be an api breaking
14:26:08 <obondarev> seems like HA routers bug can be fixed with just checking HA network subnets
14:26:13 <slaweq> sahid_++
14:26:25 <ralonsoh> obondarev, right!
14:27:09 <ralonsoh> but this call should be done inside the same context creating the subnet
14:27:15 <ralonsoh> just to be transactional
14:27:16 <slaweq> maybe we should do something like allocating IP addresses to ports when subnet is created
14:27:33 <slaweq> something like:
14:27:54 <slaweq> for port in network.ports:
14:28:06 <slaweq> if not port.fixed_ips:
14:28:10 <slaweq> port.allocate_ip()
14:28:23 <mlavalle> ^^^inside subnet creation
14:28:25 <slaweq> which would be done after subnet creation
14:28:26 <obondarev> can it  be undesired behaviour for those using no-IP ports on purpose?
14:28:42 <ralonsoh> but we can have a subnet withtout ports
14:29:00 <slaweq> obondarev so we can add maybe config knob to disable this new behavior
14:29:26 <slaweq> but use it for HA networks mentioned in https://bugs.launchpad.net/neutron/+bug/2016198
14:29:43 <obondarev> yeah, but if the only reason to do this is HA bug - I'd still fix race condition in traditional way
14:30:07 <obondarev> by adding wait condition I mean
14:30:16 <ralonsoh> if this is a race condition, then the best way is to use somehow the DB engine
14:30:33 <mlavalle> I agree with ralonsoh
14:30:39 <opendevreview> Slawek Kaplonski proposed openstack/neutron master: [S-RBAC] Switch to new policies by default  https://review.opendev.org/c/openstack/neutron/+/879827
14:30:39 <obondarev> makes sense
14:31:09 <slaweq> ok, so for HA networks bug there are for sure better solutions and ways to fix it
14:31:11 <mlavalle> at the same time I agree with obondarev that we shouldn't add features to fix a bug
14:31:36 <slaweq> and for RFE I'm -1 to remove this functionality from our API
14:32:08 <ralonsoh> -1, agree, there should be another way to prevent this race condition
14:32:09 <obondarev> so I guess there are several ways to fix the bug, and disallow no-IP port creation seems an overkill
14:32:28 <ralonsoh> is there something that identifies an HA network?
14:32:31 <obondarev> -1 for RFE
14:32:35 <lajoskatona> agree, there should be users who depend on it
14:32:39 <ralonsoh> that makes it different from other HA networks?
14:32:44 <slaweq> ralonsoh nothing except name IIRC
14:33:02 <mlavalle> it's just a network
14:33:22 <ralonsoh> but is created for a router, right?
14:33:31 <slaweq> it's created for tenant
14:33:38 <ralonsoh> for a tenant, sorry
14:33:39 <ralonsoh> yes
14:33:58 <ralonsoh> so there we are: we can add a name check in the network creation
14:34:07 <ralonsoh> in the DB engine
14:34:36 <slaweq> but internally it can be identified easy
14:34:43 <slaweq> it has own OVO object https://github.com/openstack/neutron/blob/47d070c71e795e41e698cdb278d99dcfb3448bde/neutron/objects/l3_hamode.py#L58
14:34:58 <ralonsoh> so there it is!!
14:35:01 <slaweq> and there is method to find it https://github.com/openstack/neutron/blob/master/neutron/db/l3_hamode_db.py#L97
14:35:15 <ralonsoh> we can't have more that one L3HARouterNetwork per project
14:35:21 <ralonsoh> right?
14:35:25 <slaweq> yes
14:35:44 <ralonsoh> so perfect, this condition is perfect for the DB engine
14:35:56 <slaweq> https://github.com/openstack/neutron/blob/master/neutron/db/models/l3ha.py#L62
14:36:37 <mlavalle> the primary key is the project
14:36:47 <ralonsoh> but not unique
14:36:59 <ralonsoh> we need a new class for this
14:37:09 <ralonsoh> but easily doable
14:37:31 <ralonsoh> what do you think about proposing that in the LP bugs?
14:37:59 <mlavalle> yes, let's do it
14:38:05 <slaweq> ++
14:38:34 <obondarev> +
14:38:43 <lajoskatona> +1
14:38:45 <ralonsoh> perfect, thank you all, good stuff!
14:38:52 <ralonsoh> last topic
14:38:56 <ralonsoh> mlavalle: Change in implementation of metadata rate limiting vs spec in order to support IPv6
14:38:58 <ralonsoh> please
14:39:29 <mlavalle> I've continued the implementation of this feature after the original proposer indicated he couldn't continue doing it
14:39:58 <opendevreview> Slawek Kaplonski proposed openstack/neutron master: Fix functional tests modules which are using PluginFixture  https://review.opendev.org/c/openstack/neutron/+/881228
14:40:00 <mlavalle> the spec,  https://specs.openstack.org/openstack/neutron-specs/specs/2023.1/metadata-rate-limit.html, didn't address ipv6
14:40:36 <mlavalle> ipv6 came up in one comment from ralonsoh to the proposed code
14:40:55 <mlavalle> so addressing that comment, I've added ipv6 support
14:41:36 <mlavalle> there is an issue, though. the opensource haproxy implementation only allows the tracking of 3 sticky counters
14:42:36 <mlavalle> to implement the spec with rate limiting for ipv4 and ipv6 at he same time, we would need 4 sticky counters
14:43:19 <mlavalle> btw, in line 79 here you can see the haproxy limitation: https://paste.openstack.org/show/bAE6IhPh4fQOGqFoxmMu/
14:43:32 <mlavalle> so I'm proposing a slight change to the spec
14:44:11 <mlavalle> the deployer would need to decide whether the want to rate limit for ipv4 or ipv6, but not both at the same time
14:44:34 <mlavalle> that was, we only need two sticky counters
14:44:57 <slaweq> is that something what can be changed in haproxy in future?
14:45:09 <lajoskatona> hmmm, sad but reasonable limitation
14:45:26 <slaweq> TBH I don't think we need to have it for IPv6 for now
14:45:30 <slaweq> it's not that widely used
14:45:32 <mlavalle> their documentation explicitely indicates that the open source version only allows 3 sticky counters
14:45:37 <obondarev> better than just limiting to ipv4
14:45:54 <slaweq> IPv4 should be more important
14:46:04 <rubasov> I agree that currently we force the deployer to choose between ipv4 and ipv6, however I'd suggest to choose a config format that can allow both in the future, if/when we can support both at the same time
14:46:08 <mlavalle> with my proposal we support both, just not both at the same time
14:46:45 <lajoskatona> +1
14:47:05 <slaweq> ok
14:47:11 <lajoskatona> I mean +1 for cfg option which can be used for allowing both
14:47:22 <ralonsoh> +1, this is an external limitation and we provide to the user the ability to define which one is needed
14:48:11 <ralonsoh> so I think we agree on the proposal
14:48:17 <obondarev> +1
14:48:28 <ralonsoh> mlavalle, make a summary of this conversation in the LP bug
14:48:30 <lajoskatona> +1, thanks mlavalle
14:48:34 <ralonsoh> and thanks!
14:48:49 <mlavalle> thanks, will do
14:48:57 <ralonsoh> so that's all, anything else you want to discuss?
14:49:27 <ralonsoh> have a nice weekend!
14:49:31 <mlavalle> o/
14:49:31 <ralonsoh> #endmeeting