#openstack-meeting log

14:00:08 <dougwig> #startmeeting neutron lbaas
14:00:09 <openstack> Meeting started Thu Sep 18 14:00:08 2014 UTC and is due to finish in 60 minutes.  The chair is dougwig. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:12 <openstack> The meeting name has been set to 'neutron_lbaas'
14:00:19 <evgenyf> hello
14:00:20 <dougwig> morning lbaas
14:00:25 <rm_you> morning
14:00:29 <dougwig> agenda:
14:00:31 <dougwig> #link https://wiki.openstack.org/wiki/Network/LBaaS#Meeting_18.09.2014
14:00:43 <sbalukoff> o/
14:00:54 <dougwig> #topic Announcements
14:00:56 <dougwig> a few items to highlight from the neutron meeting
14:01:08 <dougwig> fyi, freenode was hacked:
14:01:10 <dougwig> #link https://blog.freenode.net/2014/09/server-issues-2/
14:01:20 <xgerman> o/
14:01:35 <dougwig> and i'd like to highlight the octavia review query link:
14:01:37 <dougwig> #link http://bit.ly/1wqy47t
14:01:44 <dougwig> any other announcements?
14:02:10 <dougwig> moving on
14:02:13 <dougwig> #topic Incubator update
14:02:13 <TrevorV> o/
14:02:23 <dougwig> mestery, any updates for us?
14:02:53 <mestery> dougwig: Did markmcclain talk to you or sballe?
14:03:05 <mestery> dougwig: He was supposed to, if he hasn't, then no updates.
14:03:14 <blogan> hello
14:03:17 <dougwig> i can't speak for sballe, but i haven't heard from him
14:03:20 <xgerman> sballe is running late
14:03:30 <xgerman> and might not make this meeting
14:03:33 <blogan> i havent heard anythign either
14:03:34 <mestery> dougwig: OK, no update now, lets wait for sballe (I'm talking to her later today for a different issue)
14:03:41 <dougwig> ok
14:03:51 <mestery> #action mestery to resolve neutron incubator issues this week
14:03:57 <dougwig> moving on to another item of note from the neutron meeting...
14:03:59 <dougwig> #topic Kilo Design Summit Etherpad
14:04:09 <dougwig> details of the design summit planning are out
14:04:10 <dougwig> #link http://lists.openstack.org/pipermail/openstack-dev/2014-September/045844.html
14:04:19 <dougwig> here is the etherpad for neutron:
14:04:20 <dougwig> #link https://etherpad.openstack.org/p/kilo-neutron-summit-topics
14:04:33 <dougwig> and the overall link to all etherpads:
14:04:33 <dougwig> #link https://wiki.openstack.org/wiki/Summit/Planning
14:04:39 <dougwig> Neutron sessions will be on Wednesday and Thursday, Cross-project track is Tuesday, Friday is for program pods
14:04:44 <dougwig> go forth and edit.
14:05:08 <blogan> how would a project get a session?
14:05:13 <xgerman> those LBaaS sessions are v1, v2, or Octavia?
14:05:34 <blogan> lbaas udp?
14:05:35 <xgerman> LBaaS udp
14:05:35 <xgerman> LBaaS HA
14:05:35 <xgerman> LBaas Monitoring and alerting
14:05:35 <xgerman> LBaaS - Security groups
14:05:46 <xgerman> of course
14:06:29 <dougwig> mestery: should octavia sessions be in the neutron etherpad, or somewhere on their own?
14:06:48 <mestery> dougwig: Put them in the neutron pad for now if that makes sense
14:06:53 <mestery> dougwig: We'll see how it falls out.
14:06:54 <blogan> since there is one for v2, I suppose those are for v1 or just a LBaaS and general
14:06:55 <mestery> Make sense?
14:07:25 <xgerman> since we are LBaaS I am puzzled who put them in
14:07:25 <dougwig> if we're putting network program items in that one, it makes sense to me.
14:08:07 <dougwig> someone put in lbaas udp?  haha, sweet.  :)
14:08:33 <blogan> i thought it'd of been you
14:08:48 <xgerman> wasn't me :-)
14:08:50 <sbalukoff> Huh.
14:08:54 <dougwig> does anyone want to brainstorm what sessions we want/need here?  time is limited, so we'll want to be pretty crisp in what we request.
14:08:58 <rm_you> maybe it was mestery? :P
14:09:05 <xgerman> anyhow should we change LBaaS HA -> Octvia HA
14:09:19 <mestery> I think it was markmcclain :P
14:09:22 <blogan> im not sure we know exactly what we will want to discuss when that time comes
14:09:40 <dougwig> blogan: that implies that maybe we just want to aim for the pods?
14:09:53 <xgerman> well, we want to sort of approve the bleuprints for our first release
14:09:59 * TrevorV keeps seeing lbaas udp... is that serious?
14:10:04 <blogan> dougwig: i thnk we'd get a lot more done there
14:10:52 <sbalukoff> Are the pods more informal? I worry that we'd miss out on people attending who don't know as much about Octavia if we're meeting ad-hoc in the pods.
14:11:01 <xgerman> +1
14:11:07 <blogan> sbalukoff: yeah you're probably right
14:11:35 <dougwig> are we at the point where having 100 people attend is useful?  i personally don't want a huge session without a crisp focus just because we want a large group
14:11:36 <blogan> though I don't see octavia getting approved for a design session, but it doesn't hurt to try
14:11:46 <xgerman> Are we ok with the proposed LBaaS topics? Should they be Octavia topics?
14:12:13 <xgerman> I am missing stuff like L7 we used to work on... SNI
14:12:27 <sbalukoff> I don't even know what all host LBaaS topics are about: We certainly haven't seen them discussed here or on the ML in the last month.
14:12:42 <dougwig> personally, i think there are too many proposed right now.
14:12:46 <sbalukoff> They should be Octavia topics, eh.
14:12:46 <xgerman> and that worries me since we are LBaaS
14:13:01 <blogan> well we definitely need to talk about v2
14:13:02 <sbalukoff> xgerman: +1
14:13:11 <dougwig> blogan: perhaps your "agent for all drivers" proposal?
14:13:29 <blogan> i thought you weren't a fan of that
14:13:31 <xgerman> exception/error model
14:13:37 <sbalukoff> who is "pcm"?
14:13:52 <blogan> xgerman: the agent for all drivers would lead to that
14:13:57 <dougwig> blogan: heh, i'm not a fan of broccoli either.  people still eat it.
14:14:49 <xgerman> blogan put it on the agenda
14:15:33 <sbalukoff> In any case, I think we can come up with some Octavia-specific design summit ideas and add them here.  what's the deadline for adding new stuff?
14:16:10 <dougwig> check the ML link.
14:16:19 <TrevorV> So LBaaS UDP was a serious topic?
14:16:30 <sbalukoff> TrevorV: I can't imagine it is.
14:16:38 <TrevorV> Its on the list...
14:16:44 <sbalukoff> But I don't know who 'pcm' is, who I think added it.
14:16:44 <dougwig> TrevorV: i don't think so.  mark is still planning that one at a bar, afaik
14:16:45 <rm_you> I think that was the "meet everyone for LBaaS in a pub and have a beer" session :P
14:16:55 <TrevorV> aaah, I forgot about the location reference
14:16:56 <TrevorV> :D
14:17:13 <xgerman> yeah, UDP is our LBaaS party ;-)
14:17:17 <dougwig> any last comments here, before we move to a related topic?
14:17:28 <sbalukoff> LBaaS "Underground Downtown Pub"?
14:17:30 <xgerman> what are LBaaS security groups?
14:17:43 <sbalukoff> xgerman: Yeah, I was wondering that, too.
14:18:30 <sbalukoff> I guess nobody here knows. XD
14:18:34 <sbalukoff> Funny.
14:18:44 <dougwig> #topic Summit meetup
14:19:00 <dougwig> who's going to paris, and is someone willing to plan an evening get together?
14:19:11 <sbalukoff> I'm going.
14:19:16 <dougwig> i'm going
14:19:19 <xgerman> me, too +sballe
14:19:24 <crc32> rackspace is in limbo right now.
14:19:28 <a2hill> heh..
14:19:30 <sbalukoff> I could check with my team to see if Blue Box wants to host.
14:20:08 <blogan> i still have not heard any definitive answer to the limbo we are in about going to Paris
14:20:53 <dougwig> we'll put up a cardboard cutout of you during your talk window.
14:20:54 <rm_you> I am pretty sure at the least blogan, crc32 and I are going, since we already bought tickets...
14:21:18 <evgenyf> Samuel, Avishay and myself are going, as for now
14:21:19 <rm_you> but hopefully they get their shit together and a2hill goes as well
14:21:42 <crc32> at best it would be a2hill,blogan,crc32, and rm-you. a2hill has priority over me on this one. But at worst no one.
14:22:14 <a2hill> idk if id be the most useful to go, so if they have a lottery ill give up my position to someone that may be more useful. i.e. adam
14:22:27 <xgerman> Speakers who were not chosen still have the opportunity to present a Tech Talk in the #vbrownbag room. Apply here.
14:22:28 <a2hill> hopefully that's not the case
14:22:48 <dougwig> xgerman: do you have a link for that?
14:23:01 <xgerman> http://openstack.prov12n.com/techtalks-at-openstack-summit-paris/
14:23:06 <rm_you> xgerman: yeah do i need to sign up? I figured maybe it was like, sign up at the door
14:23:17 <dougwig> #link http://openstack.prov12n.com/techtalks-at-openstack-summit-paris/
14:23:23 <sbalukoff> rm_you: you want to sign up early.
14:23:48 <xgerman> yeah, we should put some of the talks which got voted down there (e.g. Octavia)
14:23:48 <rm_you> k
14:23:55 <dougwig> #topic Open Discussion
14:24:10 <vjay7> I am late, just joined. was incubuter discussed?
14:24:19 <sbalukoff> #action sbalukoff to check with Blue Box team to find out if Blue Box wants to host evening get-together somewhere.
14:24:20 <xgerman> yes, same as last week
14:24:30 <rm_you> yeah I was going to do "Barbican Integration for Certificate/Key Storage in Neutron and other Openstack Services"
14:24:59 <sbalukoff> rm_you: Go for it!
14:25:11 <sbalukoff> I suppose I could give a talk on Octavia.
14:25:20 <xgerman> +1
14:25:33 <sbalukoff> We could try collaborating on one-- though I don't know if they're set up for two people on camera.
14:25:33 <xgerman> yeah, I can speak to that, too :-)
14:25:56 <TrevorV> you guys can snuggle up in the camera view, right sbalukoff ?
14:26:08 <sbalukoff> #action sbalukoff to sign up for vbrownbag talk on Octavia. World rejoices.
14:26:13 <sbalukoff> Haha! sure!
14:26:21 <xgerman> lol
14:26:29 <sbalukoff> Who wants to photobomb an Octavia vbrownbag talk?
14:26:54 <sbalukoff> We should totally cycle through like 5 people during the 10 minutes we have. XD
14:27:00 <rm_you> Oh, speaking of which, I still owe the ML some diagrams and such about the Keystone/Barbican/Neutron interaction stuff, but it keeps freaking changing
14:27:44 <rm_you> and on that topic, how violently will people be willing to fight against "requiring the user to set up a Trust on their own in advance, probably using a provided template"?
14:27:55 <xgerman> -1
14:28:04 <xgerman> that's not user friendly
14:28:05 <TrevorV> okay, so xgerman isn't going to fight, that's nice
14:28:25 <rm_you> xgerman: *I* know that and agree
14:28:32 <dougwig> it has precedent if horizon can make it look like an android app install permissions request, but overall, it's fairly silly.
14:28:34 <rm_you> but if people don't want to back me, I won't fight it
14:28:39 <sbalukoff> rm_you: Eew?
14:28:55 <rm_you> it's looking more and more like that's going to be the future requirement
14:29:11 <dougwig> tell us what link to show up on and drop a mountain of -1's.
14:29:12 <rm_you> even if we get away with doing it temporarily ourselves, in the end that is going to be the only way
14:29:29 <blogan> yeah we can put in -1's
14:29:33 <sbalukoff> rm_you: And that will be the case for all consumers of that functionality, right? (VPNaaS as well, for example)?
14:29:35 <blogan> dougwig has the right idea
14:29:44 <a2hill> People are not liking having user set up a trust?
14:29:45 <rm_you> well, if we REALLY strongly object, then I could use more heads working on this issue -- we need to figure out a secure way to do it that the keystone folks will agree is ok
14:29:49 <rm_you> sbadia: yes
14:29:50 <rm_you> err
14:29:52 <rm_you> sbalukoff: yes
14:29:54 <a2hill> but would rather have it done for them?
14:30:18 <rm_you> well, the problem is the first BP that'll come up for it will be mine, for doing it that way because there's no alternative
14:30:38 <rm_you> not sure piling -1s on that is constructive :P
14:30:59 <xgerman> it's claer what's needed and they are not giving it to us
14:30:59 <crc32> q-2?
14:31:11 <rm_you> we need to figure out a secure way to make it work that we're all ok with... tell you what, I'll send out a mail with what I have so far, TODAY, and detail the issue, and maybe we can get some good ideas flowing
14:31:27 <dougwig> a2hill: well, is there any other openstack service where you have to go set up boilerplate first?  alternately, can you imagine how much fun that will be when it's wired into 20 different things?
14:31:31 <sbalukoff> rm_you: Good idea!
14:31:56 <TrevorV> rm_you, +1
14:32:05 <dougwig> rm_you: +1
14:32:11 <rm_you> i'm starting to feel like mestery/mark, promising you info and then disappearing for weeks :P
14:32:14 <crc32> I'm heading in. see you guys in a little bit.
14:32:18 * rm_you prods mestery
14:32:20 <sbalukoff> Ouch.
14:32:35 <rm_you> all in good fun
14:32:36 <dougwig> lol
14:32:38 <rm_you> anyway, yeah that's it
14:32:42 <sbalukoff> :)
14:32:47 <vjay7> Is the topic over?
14:32:57 <xgerman> Open Discussion?
14:33:05 <dougwig> it's open discussion.  do you have something?
14:33:23 <xgerman> vijay7?
14:33:24 <vjay7> yes, want to know if there is anyone who has tried setting up HA on a backend
14:33:42 <xgerman> this is what we are doing Octavia for
14:33:49 <dougwig> yes, but for me, it's cheating.  in what context?
14:33:58 <a2hill> dougwig, why would want to allow another service generate a 'trust' that is supposed to be secure. If I allow that service to use it, well thats a different story
14:34:07 <sbalukoff> vjay2: Not in the context of Neutron LBaaS specifically, but I know our Neutron installs we do HA. (And lots of other non-OpenStack stuff throughout our networks.)
14:34:15 <a2hill> You had to set up an account to get access to the entire service initially
14:34:47 <a2hill> have to make request to get token, so can we take an account id and get the token for them so they dont have to do that either?
14:34:53 <rm_you> dougwig / a2hill: yeah, it's pretty much a security/usability tradeoff balance, as always
14:34:58 <a2hill> :/
14:34:59 <dougwig> a2hill: if i'm an end user, i already trust all of openstack.  i don't know it's a bunch of little fiefdoms, nor do i care.  my trust happens when i register.
14:35:12 <a2hill> fair enough
14:35:24 <sbalukoff> dougwig: +1
14:35:27 <dougwig> a2hill: this exposes openstack warts/architecture to the end user, is all.
14:35:42 <sbalukoff> Which is usually considered "bad"
14:35:49 <vjay7> if there are 2 backends that has to be configured for HA. we need to create additional ports servering the same VIP. Other than the port created for VIP by the LBaaS plugin.
14:36:13 <sbalukoff> vjay2: There are a couple ways of doing this, IIRC.
14:36:36 <a2hill> I guess i don't see that as a wart, but I get the points you are making dougwig
14:36:48 <a2hill> +1 we shall battle?
14:36:51 <vjay7> IIRC?
14:37:00 <sbalukoff> if I recall correctly.
14:37:01 <a2hill> if i remember correctly
14:37:03 <a2hill> or that
14:37:15 <vjay7> ok :-)
14:37:26 <vjay7> would like to know more about it
14:38:34 <sbalukoff> Sorry, trying to remember exactly how it's done (it's early). I seem to recall one of them uses a specific Neutron plug-in to accomplish it, but I'm not remembering which it is right now.
14:40:08 <dougwig> it also depends on the HA.  if you have a pair of HA appliances that will mimic at the L2 level, nothing.  at the L3 level, you can add static routes to the subnets on the hardware appliances, or trust implicit routing and make sure that's setup, or plumb in additional ports.
14:40:27 <dougwig> or whatever method sbalukoff is going to suggest.
14:41:13 <vjay7> How do you make it mimic?
14:41:30 <vjay7> ports are created with their own IP address right?
14:42:16 <vjay7> Basically there are 2 issues. (1) How to allow the extra port created to allow IP address in addition to what it was created with. (2) Are there security policies or throughput restrictions applied on the port created for VIP by LBaaS plugin
14:42:49 <sbalukoff> Gah... I'm not coming up with it.
14:43:07 <sbalukoff> I'm going to have to check with Dustin or something when it's not gawd-awful early. :P
14:43:15 <dougwig> vjay7: the answer to your first question is something like vrrp between the hardware, which is out of scope of lbaas.
14:43:21 <dougwig> (2) no
14:43:25 <xgerman> (2) Neutron per se only allows one port per VIP -- so you would need to switch off the anti-spoofing or add a plugin
14:43:50 <dougwig> also depends on if you're talking active-active or active-standby
14:44:11 <vjay7> it is active-standby
14:44:40 <dougwig> then one port per vip is fine, you just have to flip it when a failover happens.
14:45:18 <dougwig> assuming you can quickly flip N thousands quickly.
14:45:43 <vjay7> flip meaning attach the ports to the standby instance?
14:45:52 <dougwig> is this with an appliance or with the haproxy driver?
14:46:07 <vjay7> it is with NetScaler appliance
14:46:39 <dougwig> are they doing HA of some kind between themselves, or are you just trying to run two of them in parallel?
14:47:14 <vjay7> they will do HA between themselves. When hearbeat between the appliances fail, the slave will takeover
14:48:03 <dougwig> ok.  can we move this conversation to the lbaas channel after the meeting?
14:48:11 <vjay7> ok
14:48:23 <dougwig> any other open discussion?
14:48:55 <blogan> i put up a spec for the octavia operator-api
14:49:03 <xgerman> yeah!!
14:49:07 <blogan> not neutron lbaas related
14:49:34 * blogan likes to make xgerman happy
14:49:37 <dougwig> if we want octavia to be the ref backend, i consider it neutron lbaas related.
14:49:55 <xgerman> we do want to make it that ;-)
14:50:40 <dougwig> last chance for discussion, or we'll end early...
14:51:18 <vjay7> a dumb question. I have not been active in the MLs. Was there any news on incubator stuff and its process? Any links to read
14:51:27 <vjay7> Will projects in incubation be packaged but default switched OFF and any admin can turn it on?
14:51:46 <blogan> vjay7: you are just as ifnormed as we are without being updated for the last 2 months
14:51:47 <dougwig> as far as i know, this is the latest info:
14:51:49 <dougwig> #link https://wiki.openstack.org/wiki/Network/Incubator
14:52:13 <vjay7> thanks!
14:52:54 <dougwig> ok, let's let stephen get back to sleep.
14:53:03 <dougwig> #endmeeting