Tuesday, 2016-01-26

« Monday, 2016-01-25 Index Wednesday, 2016-01-27 »
*** outofmemory is now known as reedip00:04
*** salv-orl_ has quit IRC00:17
*** diogogmt has quit IRC00:28
openstackgerritReedip proposed openstack/kuryr: Add report to coverage  https://review.openstack.org/27233700:39
*** yuanying has joined #openstack-kuryr01:10
*** yuanying_ has quit IRC01:11
*** apuimedo has quit IRC01:13
*** apuimedo has joined #openstack-kuryr01:14
*** salv-orlando has joined #openstack-kuryr01:17
*** salv-orlando has quit IRC01:20
*** diogogmt has joined #openstack-kuryr01:24
*** baohua has joined #openstack-kuryr01:49
openstackgerritFawad Khaliq proposed openstack/kuryr: Networking for nested containers(workinprogress)  https://review.openstack.org/26903901:54
*** salv-orlando has joined #openstack-kuryr01:54
*** salv-orlando has quit IRC01:59
*** yuanying has quit IRC02:00
*** yuanying has joined #openstack-kuryr02:03
*** apuimedo has quit IRC02:07
*** apuimedo has joined #openstack-kuryr02:08
*** salv-orlando has joined #openstack-kuryr02:19
*** fawadkhaliq has joined #openstack-kuryr02:21
*** yuanying has quit IRC02:25
*** salv-orlando has quit IRC02:27
*** yuanying has joined #openstack-kuryr02:27
*** diogogmt has quit IRC02:28
*** wanghua has joined #openstack-kuryr02:35
*** fawadkhaliq has quit IRC02:38
*** kexiaodong has quit IRC02:40
*** tfukushima has joined #openstack-kuryr02:40
*** tfukushima has quit IRC02:41
*** salv-orlando has joined #openstack-kuryr02:41
*** tfukushima has joined #openstack-kuryr02:42
*** salv-orlando has quit IRC02:48
*** fawadkhaliq has joined #openstack-kuryr02:54
*** apuimedo has quit IRC02:57
*** apuimedo has joined #openstack-kuryr03:06
*** kexiaodong has joined #openstack-kuryr03:06
*** diogogmt has joined #openstack-kuryr03:17
*** yuanying_ has joined #openstack-kuryr03:19
*** yuanyin__ has joined #openstack-kuryr03:20
*** yuanying has quit IRC03:22
*** yuanying_ has quit IRC03:23
*** yuanyin__ has quit IRC03:29
*** yuanying has joined #openstack-kuryr03:29
tfukushimabaohua: Although you are assigned to https://bugs.launchpad.net/kuryr/+bug/1516539, can I add "sudo" to the command to run Kuryr in README.rst?03:50
openstackLaunchpad bug 1516539 in kuryr "failed to start Docker container with network created by kuryr" [High,In progress] - Assigned to Baohua Yang (yangbaohua)03:50
tfukushimaI found it'd be confusing in general.03:50
*** banix has quit IRC03:54
openstackgerritTaku Fukushima proposed openstack/kuryr: Add "sudo" to the instruction for running Kuryr  https://review.openstack.org/27237003:54
openstackgerritTaku Fukushima proposed openstack/kuryr: Add "sudo" to the instruction for running Kuryr  https://review.openstack.org/27237003:56
tfukushimabaohua: I submitted the patch. If you were already working on it, I'll abandon it so please let me know in that case.03:57
tfukushimaIt'd be a temporarily workaround.03:57
*** yuanying has quit IRC03:57
*** yuanying has joined #openstack-kuryr03:58
*** yuanying has quit IRC04:02
*** yuanying has joined #openstack-kuryr04:08
*** fawadkhaliq has quit IRC04:12
*** fawadkhaliq has joined #openstack-kuryr04:32
*** diogogmt has quit IRC04:56
baohuasure, tfukushima, i will talked with toni to see if more solutions.05:03
*** tfukushima has quit IRC05:16
*** tfukushima has joined #openstack-kuryr05:50
*** tfukushima has quit IRC06:05
*** tfukushima has joined #openstack-kuryr06:07
*** fawadkhaliq has quit IRC06:13
*** irenab has quit IRC06:24
*** apuimedo has quit IRC06:29
*** vikasc has joined #openstack-kuryr06:35
*** salv-orlando has joined #openstack-kuryr06:38
vikascbaohua, hi06:41
*** salv-orlando has quit IRC06:42
*** gsagie has quit IRC06:43
vikasctfukushima, ping06:44
*** salv-orlando has joined #openstack-kuryr06:56
baohuahi vikasc07:06
vikascbaohua, just to confirm07:09
vikascbaohua, we have k8s integration meeting at 15:00 UTC today07:10
vikascbaohua, ?07:10
baohuathe meeting is discussion about the support of the cni model (https://github.com/appc/cni/blob/master/SPEC.md)07:10
vikascbaohua, it is today itself?07:11
baohuayes on Tuesday 15:00 UTC, so it should be about 8 hour later today.07:11
vikascbaohua, thanks  for confirming :)07:12
baohuasure :)07:12
*** fawadkhaliq has joined #openstack-kuryr07:20
*** vikasc has quit IRC07:22
*** apuimedo has joined #openstack-kuryr07:44
*** salv-orlando has quit IRC07:46
*** fawadkhaliq has quit IRC07:49
*** fawadkhaliq has joined #openstack-kuryr07:50
*** lezbar__ has quit IRC08:11
*** devvesa has joined #openstack-kuryr08:18
openstackgerritBaohua Yang proposed openstack/kuryr: Add container connect/disconnect tests to fullstack gate job  https://review.openstack.org/26510508:45
*** salv-orlando has joined #openstack-kuryr08:47
*** fawadkhaliq has quit IRC08:57
*** fawadkhaliq has joined #openstack-kuryr08:57
*** salv-orlando has quit IRC09:01
*** salv-orlando has joined #openstack-kuryr09:03
*** lezbar has joined #openstack-kuryr09:12
*** vikasc has joined #openstack-kuryr09:12
openstackgerritBaohua Yang proposed openstack/kuryr: Check if the return net list is empty before deleting it  https://review.openstack.org/26508709:35
*** fawadkhaliq has quit IRC09:39
*** fawadkhaliq has joined #openstack-kuryr09:39
*** salv-orl_ has joined #openstack-kuryr10:06
*** tfukushima has quit IRC10:07
*** salv-orlando has quit IRC10:08
*** tfukushima has joined #openstack-kuryr10:10
*** tfukushima has quit IRC10:22
*** vikasc has quit IRC10:41
*** salv-orl_ has quit IRC10:45
*** salv-orlando has joined #openstack-kuryr11:01
*** irenab has joined #openstack-kuryr11:24
*** kexiaodong has quit IRC11:30
*** vikasc has joined #openstack-kuryr11:33
*** fawadkhaliq has quit IRC11:34
*** baohua has quit IRC12:00
*** salv-orlando has quit IRC12:11
*** salv-orlando has joined #openstack-kuryr12:13
*** banix has joined #openstack-kuryr12:26
*** banix has quit IRC12:28
*** banix has joined #openstack-kuryr12:44
*** banix has quit IRC12:47
*** salv-orlando has quit IRC12:57
openstackgerritMerged openstack/kuryr: Add "sudo" to the instruction for running Kuryr  https://review.openstack.org/27237012:58
*** vikasc has quit IRC13:00
*** fawadkhaliq has joined #openstack-kuryr13:02
*** baohua has joined #openstack-kuryr13:24
*** fawadkhaliq has quit IRC13:25
*** baohua_ has joined #openstack-kuryr13:26
*** baohua has quit IRC13:29
*** banix has joined #openstack-kuryr13:44
*** diogogmt has joined #openstack-kuryr13:57
*** salv-orlando has joined #openstack-kuryr13:58
*** salv-orlando has quit IRC14:03
*** apuimedo has quit IRC14:04
*** diogogmt has quit IRC14:20
*** baohua has joined #openstack-kuryr14:36
*** baohua_ has quit IRC14:39
*** fawadkhaliq has joined #openstack-kuryr14:49
*** gsagie has joined #openstack-kuryr14:52
*** salv-orlando has joined #openstack-kuryr14:54
*** salvorl has joined #openstack-kuryr14:56
*** apuimedo has joined #openstack-kuryr14:56
*** salv-orlando has quit IRC14:57
gsagieHello all14:58
baohuahi, gal14:58
*** vikasc has joined #openstack-kuryr14:58
banixhi14:58
fawadkhaliqhola14:58
vikaschi14:59
banixirenab: apuimedo are you around?14:59
salvorlAloha15:00
apuimedoლ(°◡°ლ)15:00
irenabhey15:00
irenabapuimedo: nice :-)15:00
*** baohua has quit IRC15:01
*** baohua has joined #openstack-kuryr15:01
banixShall we get started?15:01
apuimedo+115:01
banixSo we wanted to discuss the integration with / support of CNI15:02
apuimedogsagie: banix: do you know how to ask the openstack boot to log it?15:02
apuimedosalvorl: ^^15:02
gsagieapuimedo: i think everything in this channel is logged15:02
banixi think these are all logged15:02
*** baohua_ has joined #openstack-kuryr15:02
banixincluding your fancy art work Toni15:02
apuimedoI meant to make it logged like a meeting with action points and all that jazz15:02
*** baohua has quit IRC15:02
apuimedobanix: good. My descendants should know the beauty of ascii art15:03
gsagiethats probably not possible15:03
apuimedook15:03
banix#startmeeting kuryr15:03
openstackMeeting started Tue Jan 26 15:03:17 2016 UTC and is due to finish in 60 minutes.  The chair is banix. Information about MeetBot at http://wiki.debian.org/MeetBot.15:03
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:03
openstackThe meeting name has been set to 'kuryr'15:03
fawadkhaliqapuimedo: lol15:03
apuimedoit is alive!15:03
gsagiemaybe it is :)15:03
apuimedo:-)15:03
apuimedobanix, you are chair and table15:03
apuimedoset the topics ;-)15:03
banix#chair apuimedo15:03
openstackCurrent chairs: apuimedo banix15:04
apuimedodarn15:04
apuimedothat happens for talking too much15:04
banix:)15:04
fawadkhaliqgood one banix ;-)15:04
apuimedo#topic kubernetes libnetwork usage15:04
apuimedommm15:04
irenabapuimedo: not sure about the topic ...15:04
apuimedoseems it doesn't work15:04
irenabits either first orsecond ...15:04
apuimedowell, everybody read it15:05
apuimedoin this topic I would like to go through the current state15:05
*** qwebirc16548 has joined #openstack-kuryr15:05
irenabkube already has CNI support:   https://github.com/kubernetes/kubernetes/tree/master/pkg/kubelet/network/cni15:05
irenaband it seems to be the prefered way to go15:05
apuimedoand in my opinion I would put to rest the possibility of just holding out for the possibility of just using an eventual libnetwork support15:05
apuimedoand relying on configuration to plug to a network15:06
apuimedodo we all agree with that?15:06
gsagiei do15:06
vikasc+115:06
irenab+115:06
qwebirc16548um, what does that mean exactly?15:06
banix+0.815:06
fkautzIt's unlikely k8s will support libnetwork at this point15:06
qwebirc16548I do not see much movement toward libnetwork among the kube community15:06
baohua_+0.515:07
qwebirc16548If you do not care about k9s load balancers, we already have all that we need from k8s15:07
fkautzUnless something fundamentally changes in either k8s or docker philosophy15:07
qwebirc16548we can write a CNI plugin that invokes `docker network` to do what is needed.15:07
banixqwebirc16548: that’s what I am wondering if we can do15:08
irenabqwebirc16548: can you elaborate?15:08
qwebirc16548sure...15:08
fawadkhaliqqwebirc16548: not sure its a straight forward mapping15:08
fawadkhaliqirenab: +115:08
qwebirc16548In the CNI plugin's add-container-to-network operation, use `docker network` to disconnect from "none" and then connect to the desired network.15:08
qwebirc16548This is assuming it can determine the desired network.15:09
apuimedoqwebirc16548: doing a CNI plugin that calls docker network is still abandoning direct libnetwork ideas15:09
qwebirc16548I am thinking of a simple scenario with one network per k8s Namespace15:09
apuimedoqwebirc16548: are you Shu Tao?15:09
qwebirc16548When the CNI plugin invokes `docker network`, this goes through libnetwork.  So no abandonment there.15:09
*** salv-orlando has joined #openstack-kuryr15:10
qwebirc16548No, I am not Shu Tao.  But I know him.15:10
vikascqwebirc16548: namespace maps to tenants in k8s15:10
apuimedoMike Spreitzer then I bet :P15:10
qwebirc16548bingo15:10
apuimedoanyway15:10
vikascqwebirc16548: then one tenant having more networks is very likely15:10
qwebirc16548I am supposing each tenant gets one network15:10
qwebirc16548Yes, that's the next level15:10
qwebirc16548doing that will require more15:11
vikascqwebirc16548: hmm15:11
*** salv-orlando has quit IRC15:11
apuimedodoing a CNI translation to the current libnetwork driver is still doing a CNI plugin15:11
qwebirc16548so?15:11
*** salv-orlando has joined #openstack-kuryr15:11
apuimedoso, can we establish that we are doing that before deciding in which manner go?15:11
banixyes, but it will be a simpler one which will be able to utlize our Kuryr plugin15:11
qwebirc16548I will do it myself if nobody else gets to it sooner15:12
*** salvorl has quit IRC15:12
apuimedook, moving on15:12
fkautzi don't think it'll be that simple, but worth looking into15:12
gsagieso you are basically adding lib network support to cabernets, in some way which is probably not optimal but good enough15:12
apuimedo#topic CNI plugin15:12
gsagiekubernetes15:12
salv-orlandogsagie: love that autocorrect15:12
qwebirc16548BTW I see work in the k8s networking group that will pass more info, so that a tenant can have multiple networks15:12
gsagie:)15:13
vikasccni plugin takes just two args, ADD and DELETE. To utilize it existing kuryr only way is to refactor kuryr15:13
apuimedoxD15:13
apuimedoqwebirc16548: for the openshift-namespaces15:13
apuimedoI also saw that15:13
*** vikasc_ has joined #openstack-kuryr15:13
salv-orlandovikasc: which I agree, but what is the contributors' opinion on developing and maintaining both plugins?15:13
qwebirc16548Unfortunately I have been away for a week, wrestling with Ursula15:13
apuimedoalright, so basically we have two approaches15:14
banixvikasc: I think the suggestion is to use the docker (network) API to implement the CNI API15:14
qwebirc16548I think I want to make a counter-proposal, that keeps tenant = Namespace, but have not written it yet15:14
apuimedorefactor kuryr and have two different frontends, libnetwork and cni15:14
apuimedoor have cni be a translation to libnetwork with a bit of extra configuration/assumptions15:14
baohua_like this idea15:14
vikascbanix: yes, in tha case we will not be able to leverage any of existing work15:14
banixvikasc: why not?15:15
apuimedobaohua_: which idea?15:15
baohua_your idea or two front end but one kuryr, should try leverage current kuryr code at most15:15
salv-orlandoapuimedo: the latter implies you're assuming CNI will always back docker.15:15
fkautzapuimedo: are you suggesting a side channel with extra info passed to support anything libnetwork doesn't?15:15
salv-orlandonow that might true but at least on the table docker's not the only one15:15
apuimedosalv-orlando: well, I'm cheating actually15:15
salv-orlandoapuimedo: you're so openstack ;)15:16
apuimedoI actually think that it is not option 1 or option 215:16
apuimedoI think it is option 1 for right now. Then make a proper option 215:16
irenabapuimedo: can you please identify option 1 and option2, so we can refer during discussion15:16
baohua_should not wait the decision from k8s team, so start with option #115:16
salv-orlandoI mean option 2 could be a short term implementation for the CNI plugin15:16
salv-orlandoand then we can iterate over it15:17
qwebirc16548can someone please clarify which is 1 and what is 2?15:17
apuimedooption T -> translate15:17
vikascbanix: i meant whatever we have in kuryr today is libnetwok apis handlers. calling docker network will not fit into cni model15:17
qwebirc16548why not?15:17
apuimedooption F -> different frontends15:17
baohua_option #F can keep the code more clean, and flexible for further possible change.15:18
apuimedobaohua_: agreed15:18
banixyes, the choice is whether we expand the scope of Kuryr to support container networking (docker and others) through OpenStack networking. I think the answer is yes.15:18
fkautzHaving worked on building such a bridge, I agree with vikasc15:18
baohua_option #T requires assumption they finally get to libnetwork15:18
apuimedoIMO that's the way to go for the future15:18
irenabso option F is to have CNI to call neutron?15:18
apuimedooption T would be something that we use short term an for no longer than the end of the Mitaka cycle15:19
apuimedoirenab: that's right15:19
qwebirc16548vikasc: why does calling `docker network` CLI not fit into the CNI model?15:19
fkautzqwebirc16548: part of it is what info is owned by the user vs libnetwork, e.g. Things like which network namespace is being used is not exposed in libnetwork15:19
apuimedoqwebirc16548: I don't think that it can't fit. I think that it may not offer as much potential as a specialized frontend in the mid/long term15:20
fkautzK8s wrote a blog post on why libnetwork doesn't work for them on their blog15:20
vikascapuimedo: +115:20
fkautzMany of the concerns will apply here15:20
vikascfkautz: +115:20
qwebirc16548Yes, I read that blog post and agree15:20
fkautzBut a lot of it is in who owns what and what gets exposed15:20
banix#link http://blog.kubernetes.io/2016/01/why-Kubernetes-doesnt-use-libnetwork.html15:20
baohua_oh, more concerns now.15:20
qwebirc16548Both sides have moved on since15:20
fkautzCan't make decisions if you don't have the info15:21
irenabk8s is not Docker specific, so option T will limit15:21
fawadkhaliqirenab: +115:21
qwebirc16548oh, that's newer15:21
vikascirenab: nice point15:21
baohua_so we have the same context now15:21
salv-orlandoI see translation only as a stopgap measure - ie: something that can work while a proper plugin not dependent on libnetwork is implemented15:21
banixso let’s back up for a second if you all agree15:21
irenabcan we drop option T ?15:22
apuimedoqwebirc16548: I see value on right now having work on a thin CNI plugin that does network per namespace.15:22
apuimedoas salv-orlando says, a stopgap measure15:22
fkautzRight, that's my primary concern with a bridge. I would love to see a generic bridge exist. Maybe a bridge specific for Kuryr is more attainable because you can make assumptions15:22
qwebirc16548Yes, I suggest starting there and then expanding as both k8s and docker evolve15:22
banixthe main issue here is that we are saying we want to support all contain run times and if thats the case relying on libnetwork doesn’t make sense. long term.15:22
banixright?15:22
vikasci would prefer a seperate plugin sharing libs with libnetwork plugin15:22
irenabvikasc: I share same understanding15:23
apuimedobanix: that's right. I never intended kuryr to be just a libnetwork driver, but bringing neutron to containers15:23
salv-orlandovikasc: I think that's attainable at no cost.15:23
baohua_banix: agree, we should expand more.15:23
vikascsalv-orlando: i too believe so15:24
apuimedoDo we all agree that long term, we see option F as the right one?15:24
baohua_apuimedo:+115:24
apuimedoI'll put my +115:24
vikasc+115:24
banixapuimedo: yes15:24
fkautz+1 on F15:24
fawadkhaliqapuimedo: +1 yes, until there is one option left ;-)15:25
apuimedoirenab: ^^, gsagie ^^15:25
irenab+115:25
gsagie+115:25
apuimedoalright, I think we have good enough support15:25
baohua_agile decision:)15:25
irenabthe question if we start with option F or you still want short term option T?15:25
apuimedo#info The long term goal is to have different frontends for different platforms15:25
apuimedo#topic implementation of a works-now translation layer for Kubernetes (with docker)15:26
vikascmy opinion start with F15:26
baohua_i suggest start with option #F directly15:26
irenab+115:26
gsagiestart with option F, we can work in parallel if anyone wants to start working on the T option as well15:26
apuimedofirst of all15:26
vikascgsagie: +115:26
apuimedodon't get so hasty with the votes :P15:26
irenabgsagie: agree, it is ortogonal15:26
apuimedo(╯° °)╯彡┻━┻15:27
fkautz+1 chair flip :p15:27
fkautzI assume that's a bench15:27
apuimedoplease qwebirc16548, could you give us more information about the design for the translation layer?15:27
qwebirc16548sure15:27
apuimedofkautz: it's a bar stool15:27
baohua_guangdang~15:27
qwebirc16548I am thinking of starting simple, as I said...15:27
qwebirc16548Actually, in my environment this is all behind another API layer anyway, which makes it easier...15:28
qwebirc16548With a k8s NS per tenant, and a network per tenant, all not visible to the real client15:28
apuimedowith the level of information that reaches the CNI plugin, qwebirc16548, what is missing for doing the translation?15:28
qwebirc16548implicit isolation between tenants15:28
qwebirc16548My current understanding is nothing is lacking for my under-the-covers isolation15:28
qwebirc16548I can invent a network name based on the Namespace15:29
irenabqwebirc16548: seems you assume specific app deployment use case, right?15:29
qwebirc16548and away I go.15:29
qwebirc16548Yes, like I said.15:29
irenabnamespace = Tenant?15:29
qwebirc16548that is, what I said is all that I assume (that I remember right now)15:29
qwebirc16548yes15:29
irenabone network per Tenant?15:30
qwebirc16548irenab: yes15:30
qwebirc16548As I said, my use pattern is implicit isolation between tenants.15:30
irenabqwebirc16548: does it correspondsto the kube-sig-net proposel 2?15:30
salv-orlandoqwebirc16548: which is cool. What would be the corresponding topology in openstack?15:30
salv-orlandoI ask because we might have to punch holes here and there15:31
qwebirc16548Have not had time to study those enough yet.  Been wrestling with Ursula.15:31
irenabhttps://docs.google.com/document/d/1W14C03dsBbZi23FN0LmDe1MI0WLV_0-wf_mRxLr2-g4/edit15:31
apuimedowould it be a single network, single subnet per tenant?15:31
irenabit maybe subnet per Node15:31
qwebirc16548Yes, I think one subnet per network15:31
apuimedoqwebirc16548: what to do with the cluster ips?15:32
apuimedocause I assume we'd not have kube-proxy running to set iptables redirects for those15:32
qwebirc16548in k8s speak, "cluster IPs" are the IPs handed out to the containers,right?15:32
irenabto services15:32
qwebirc16548Like I said, I have a caveat: we do not care about k8s load balancers15:33
apuimedoqwebirc16548: it's an ip that takes you to any of the pods15:33
baohua_service layer ip15:33
apuimedoin our prototype we use LBaaS for those15:33
qwebirc16548Oh, right.  The terms are cluster IPs (for the hosts), pod IPs, and service IPs. IIRC15:33
baohua_it's not binding with lb15:33
apuimedoso we had a separate subnet for cluster ips15:33
irenabqwebirc16548: how the service level connectiviy will work without load balancers?15:33
fkautzWouldn't eliminating load balancers effectively eliminate k8s services?15:34
qwebirc16548k8s has LBs for services and for ingress resources.15:34
baohua_the cluster ip is handled by kube-proxy15:34
qwebirc16548The caveat I said means you don't care about k8s services and ingress resources.15:34
*** salv-orlando has quit IRC15:34
irenabqwebirc16548: so you plan to keep using kube-proxy as is?15:34
fkautzThere is a node port for service, but I recall that not being preferred15:34
qwebirc16548If you want to use those, then you have to think harder.15:34
*** salv-orlando has joined #openstack-kuryr15:35
qwebirc16548No, I mean a starting level of development that does not support k8s services and ingress resources.15:35
qwebirc16548that makes kube-proxy irrelevant.15:35
qwebirc16548If you want to integrate with kube-proxy then you need non-trivial changes in k8s...15:36
qwebirc16548or maybe lots of Neutron work with FWaaS.15:36
qwebirc16548I have not finished thinking that through.  Been wrestling with Ursula.15:36
apuimedoqwebirc16548: Ursula?15:37
qwebirc16548we might be able to use FWaaS to do something like what OpenShift did15:37
qwebirc16548Ursula is ansible to install OpenStack15:37
qwebirc16548(yet another)15:37
apuimedoah!15:37
apuimedono more installers!15:38
baohua_yet another!15:38
irenabapuimedo: you should have know it ;-)15:38
qwebirc16548sorry, it has some local currency15:38
apuimedoy=ー( ゚д゚)・∵.15:38
qwebirc16548even though too few people seem to recognize the author that gave us the word "ansible"15:38
fkautzNothing wrong with long distance communication!15:39
fkautzFTL15:39
irenabso back to kube on kuryr, do we have a plan?15:39
fawadkhaliqqwebirc16548: apuimedo, I think it would be great if we agree upon on the use case we are trying to address in the stop gap solution and then it will be easier to agree on a solution if any.15:39
apuimedoirenab: you mean an option T plan15:39
qwebirc16548Do you guys think FWaaS is up to the task?15:39
apuimedofawadkhaliq: precisely. I want to set the minimums15:40
irenabfawadkhaliq: +1 on starting with use case15:40
salv-orlandoirenab: idk it seems to me the plan is to wait for qwebirc16548 to finish his fight with Ursula.15:40
fawadkhaliqqwebirc16548: lol nope15:40
qwebirc16548If so then I think we can do a stop-gap that uses FWaaS in a pattern like OpenShift did.15:40
irenabsalv-orlando: :-)15:40
vikasclol15:40
apuimedoFWaaS as a requirement is a bit of a non-starter15:40
apuimedoI'd rather rely on other primitives15:40
fawadkhaliqexactly15:40
fkautzthe load balancers in open shift is a userspace app, we could use it here maybe?15:40
irenabsecurity groups?15:40
apuimedofkautz: LBaaS and security groups should get option T a long way15:41
qwebirc16548I think it could be done with SGs, but it's kinda ugly15:41
qwebirc16548My deepest worry about SGs is two:15:41
apuimedofor that, we should probably make kuryr let you chose sg finally :P15:41
qwebirc165481 is robustness, 2 is performance of control plane, 3 is performance of data plane15:41
fkautzin the long run, I think LBaaS through neutron or another means is best :)15:41
apuimedocause the libnetwork driver still does not let you15:41
fkautzUser space packet copying will eventually affect perf15:42
salv-orlandoqwebirc16548: I assume you're referring to neutron ref impl. I wonder why that would not be a worry with fwaas though15:42
qwebirc16548Doing the OpenShift pattern with SGs means you limit what can be sent, not what can be received.   So one sender that breaks out has complete access to everyone.15:42
qwebirc16548salv-orlando: I am discussing worries about using SGs to get isolation between tenants15:43
qwebirc16548when kube-proxy is being sued.15:43
qwebirc16548used.15:43
apuimedoI'm not familiar enough with the reference impl to comment15:43
salv-orlandoqwebirc16548: service-2-pod networking then. ok.15:43
irenabIn my opinion we should try to start aligned with kube-sig-net proposal, probably the most basic case15:44
qwebirc16548salv-orlando: that's why you have to limit on the sending side.  Everyone has to be able to receive from the kube-proxy15:44
qwebirc16548proxies15:44
apuimedobut, couldn't we start working on the kube-proxy alternative for option F and option T could leverage it?15:44
qwebirc16548working on a kube-proxy involves k8s changes...15:45
qwebirc16548which are being discussed there.15:45
apuimedoas in, no kube-proxy, but something that makes API calls to Neutron15:45
salv-orlandoapuimedo: that is a viable option but you might want to discuss with k8s upstream too15:45
apuimedosalv-orlando: I was thinking pluggability at the k8s API server level actually15:45
apuimedoI haven't checked if that requires k8s changes yet15:46
fkautzapuimedo: right now is the best time to bring that up15:46
apuimedofkautz: you are completely right15:46
fkautzK8s is talking about long term shape of networking15:46
fkautzThursday at I think 5pm est is a meeting for k8s15:46
fkautzDefinitely join it15:46
salv-orlandoapuimedo: pluggability in the kube-proxy so far is an if statement where one branch loads the deprecated userspace LB15:46
irenabapuimedo: I think it can be done wothout changes, just watching the API objects should be enough, like kube-proxy or skyDNS do15:46
apuimedoimho, and with having read the API server15:47
salv-orlandoit's wedds 2PM PST for this week15:47
fkautzOh, Wednesday this week, good to know. :x15:47
apuimedowe (k8s integrators) could get a lot of flexibility out of being able to create entities from the API objects15:47
apuimedoand then have the CNI layer just plug into those15:47
irenabapuimedo: +115:48
apuimedo(also would help with latency elimination going all the way to neutron and beyond for some things)15:48
irenabapuimedo: so CNI mostly for binding?15:49
apuimedothat's one way15:49
apuimedobanix: I don't see you around ;-)15:49
irenabI think it is expected tocall IPAM driver too15:49
banixapuimedo: Tables don’t talk much15:50
apuimedoirenab: sure. A part of the IPAM would be at CNI level15:50
*** baohua_ has quit IRC15:50
irenabapuimedo: we have 10  mins left. Can you get some summary on next steps?15:51
apuimedoin my mind we need either that, or we need to contribute to the kube-proxy pluggability significantly15:51
apuimedobecause its current level of pluggability, as salv-orlando says, is just not where we'd need it to be for option F15:51
qwebirc16548I would like to see a long term design, aligned with ks8 net sig thinking15:52
salv-orlandoapuimedo: well... you might want to consider running an os-kube-proxy15:52
qwebirc16548That requires some thinking and writing on both sides15:52
apuimedoAlso, we probably will need somewhere to perform the translations of "series of `allofrom`" to Neutron entities15:52
salv-orlandoat the end of the day k8s components are all loosely coupled bits that communicated with the API server15:53
qwebirc16548I am not  quite ready to spout the design now.15:53
fkautzI agree entirely with qwebirc16548's comment on alignment15:53
salv-orlandoneither am I - I am just saying let's not constraint ourselves into anything and keep all options on the table15:53
apuimedoI agree with that15:54
apuimedoKuryr set out to work as a bridge with the communities15:54
apuimedoand we have to be more present in the k8s community right now15:54
apuimedothat said15:54
apuimedoAt least I, need to learn better the options for retrieving the level of information we need for creating the load balancers, modelling allowFrom to subnets, etc15:55
apuimedoand it does not sound to me like the idea they had of pushing more and more info to CNI is the right way15:56
irenabapuimedo: I think we should decide on the kuryr components/libs15:56
apuimedo(it sounds a bit too much like the problems we've had with the slightly arbitrary kind of information we get from libnetwork)15:56
apuimedoirenab: ?15:57
irenabwe may need some API watcher , which does not fit well into kurrent on node kuryr service15:57
apuimedowhat I'd like to do, as it appears simpler in my mind is to first15:57
apuimedo1.- Take a few Kubernetes typical usages and redraw them using Neutron components15:58
apuimedo2. find the best places in k8s to create them15:58
apuimedo3. Make those possible in k8s if they are not or settle for good approximations15:58
apuimedo2-3 need quite a bit of participation upstream15:59
apuimedoqwebirc16548: Do you want to replicate the OpenShift networking model or something a bit different?16:00
irenabqwebirc16548: any link you can share on openShift network model?16:00
qwebirc16548I'm not real enthused about that one, but it's an existing design that works in k8s without doing violence to it.16:00
qwebirc16548I do not have a link.  I can write very briefly here, then have to go to next mtg.16:01
qwebirc16548Each tenant has one private network16:01
qwebirc16548each VM/container can send to any other on the private network (subject to SGs) and to services16:01
qwebirc16548I am not sure which ones16:01
qwebirc16548Mainly tenant's own services, I suppose16:01
qwebirc16548Later16:02
*** qwebirc16548 has quit IRC16:02
fawadkhaliqirenab: https://docs.openshift.com/enterprise/3.0/architecture/additional_concepts/networking.html16:02
irenabthanks16:02
apuimedo#link https://docs.openshift.com/enterprise/3.0/architecture/additional_concepts/networking.html16:02
irenabI would say we need to identigy the use case to support first16:03
fawadkhaliqirenab: +116:03
fkautzand unfortunately, that is still a moving target, but I think we have enough now that we can approximate16:03
apuimedofkautz: it is a moving target indeed. But we can help moving it16:04
fkautz+116:04
apuimedoif we agree on what we want it to be16:04
fawadkhaliqfkautz: agree. we can plan for it16:04
fawadkhaliqapuimedo: exactly16:04
apuimedothat's why I said I wanted to translate deployment configurations into neutron primitives16:04
*** vikasc_ has quit IRC16:04
apuimedoagree on those16:04
apuimedoand then help move the k8s target to make those possible16:05
irenabapuimedo: this is right, we need to identify the scenario we want to support16:05
apuimedoso far it seems like they are still planning for different modes16:05
irenabshall we start some use cases doc/etherpad?16:05
apuimedoone where there is full isolation16:05
banixapuimedo: time for a few action items16:06
apuimedoand every connectivity is defined via allowfrom16:06
vikascirenab: can we use existing k8s etherpad?16:06
irenablets add a section there16:06
apuimedoand another mode where there is connectivity between pods but services require the allowfrom16:06
apuimedobanix: agreed16:06
*** salv-orl_ has joined #openstack-kuryr16:06
fkautzLink?16:07
irenabvikasc: we already have use cases section :-)16:07
irenabhttps://etherpad.openstack.org/p/kuryr_k8s16:07
irenabneed to add content16:07
fkautzThanks, I'll contribute to it as well16:07
fawadkhaliq#link https://etherpad.openstack.org/p/kuryr_k8s16:07
vikascirenab: lets do :)16:07
apuimedo#action everybody come to next monday meeting with a translation of deployments into neutron primitives16:07
apuimedoplease put a link to the diagram in the etherpad16:07
irenabapuimedo: so we can have few to chose from :-) ?16:08
apuimedoirenab: or rather to converge16:08
irenab+116:08
apuimedowho can make tomorrow's meeting with k8s-sig-net?16:08
fkautzI will be there16:08
banixi can16:08
vikascvikasc: i will also attend16:09
apuimedoI'll do my best to make it too16:09
irenabsame here16:09
fawadkhaliqwill try16:09
*** salv-orlando has quit IRC16:09
apuimedo#action fkautz banix vikasc irenab to try to find out on the pushing infor to CNI versus pluggability at a higher level16:09
apuimedofawadkhaliq: if you can try as well even better :-)16:09
fawadkhaliqapuimedo: will do :-)16:10
apuimedobanix: do you think qwebirc16548 could come to next kuryr meeting with a bit more defined plan for option T16:10
apuimedoso we can decide on it16:10
*** devvesa has quit IRC16:10
apuimedoin the worst case. I believe that option F should be developed in a way that still allows for option T to happen16:11
banixapuimedo: will talk to him but you know Ursala is pretty merciless ;)16:11
apuimedo¯\_(ツ)_/¯16:11
banixi agree16:11
fawadkhaliqrofl16:11
apuimedoinstallers are a plague16:11
apuimedoanyway16:11
apuimedoI'd like to have more info on option T to see the level of effort that would have to go into it16:12
apuimedoand if we can make it for Mitaka16:12
apuimedobanix: irenab gsagie vikasc fawadkhaliq fkautz: any action I am missing?16:13
banixso we are going to discuss during the weekly meeting next week? and then of need be another of these meetings I suppose16:13
apuimedoI'd rather have it in the usual slot next week. If we see that the meetings start to overflow16:13
apuimedowe can make a kuryr-sig-k8s16:13
apuimedo:P16:13
irenabbanix: I think we agreed to adduse cases in the etherpad16:13
banixyes16:13
fawadkhaliqapuimedo: nope. looks good. it's a good start.16:13
apuimedogoing once16:13
apuimedo•_•)16:14
banix#endmeeting16:14
openstackMeeting ended Tue Jan 26 16:14:14 2016 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:14
openstackMinutes:        http://eavesdrop.openstack.org/meetings/kuryr/2016/kuryr.2016-01-26-15.03.html16:14
apuimedogoing twice16:14
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/kuryr/2016/kuryr.2016-01-26-15.03.txt16:14
openstackLog:            http://eavesdrop.openstack.org/meetings/kuryr/2016/kuryr.2016-01-26-15.03.log.html16:14
banixtable interrupted the chair! :)16:14
irenabseems table takes actions :-)16:14
apuimedo( •_•)>⌐■-■,16:14
fawadkhaliqtrickster..gone already16:14
fawadkhaliqlol16:14
apuimedo (⌐■_■)16:14
apuimedodarn, that didn't make it into the log16:14
apuimedo:P16:14
apuimedobanix: now I am sad16:14
apuimedoI'll have to fix my alias16:15
banixsad panda kind of sad?16:15
irenabapuimedo: banix : thanks for leading the meeting16:15
apuimedoindeed16:15
irenabbye16:15
apuimedobanix: I'll have to go to kfc to cheer up16:15
banixbye all16:15
banix:)16:15
fawadkhaliqbye16:15
fawadkhaliqapuimedo: take it easy there ;-)16:15
apuimedofawadkhaliq: I can't promise anything16:16
apuimedothank you all for joining!16:16
apuimedoit was a very nice meeting16:16
gsagieI wish we had KFC in israel..16:17
gsagieso i could cheer up16:17
fawadkhaliqgsagie: whaat16:17
gsagie:)16:18
fawadkhaliqapuimedo: send some over to gsagie man, we need the entire team happy :-)16:18
apuimedogsagie: there is no KFC there?!16:18
apuimedothat's terrible16:18
gsagienope16:19
apuimedoI only knew Myanmar doesn't have it16:19
apuimedoyou are in a very bad list now16:19
gsagieheh yes16:19
*** fawadkhaliq has quit IRC16:20
*** vikasc has quit IRC16:22
*** devvesa has joined #openstack-kuryr16:26
*** diogogmt has joined #openstack-kuryr16:26
*** devvesa has quit IRC16:31
*** apuimedo_ has joined #openstack-kuryr16:40
*** apuimedo has quit IRC16:40
*** gsagie has quit IRC16:41
*** gsagie has joined #openstack-kuryr16:50
*** apuimedo_ has quit IRC16:57
*** fawadkhaliq has joined #openstack-kuryr16:57
*** fawadk has joined #openstack-kuryr17:03
*** diogogmt_ has joined #openstack-kuryr17:04
*** banix_ has joined #openstack-kuryr17:05
*** fawadkhaliq has quit IRC17:07
*** diogogmt has quit IRC17:07
*** banix has quit IRC17:07
*** diogogmt_ is now known as diogogmt17:07
*** banix_ is now known as banix17:07
*** openstackgerrit has quit IRC17:17
*** openstackgerrit has joined #openstack-kuryr17:17
gsagiebanix, irenab: https://github.com/contiv/netplugin/tree/master/mgmtfn/k8splugin17:23
*** diogogmt has quit IRC17:44
*** diogogmt has joined #openstack-kuryr17:58
*** fawadk has quit IRC18:24
*** gsagie has quit IRC18:33
*** diogogmt has quit IRC19:35
*** salv-orl_ has quit IRC19:46
*** diogogmt has joined #openstack-kuryr19:49
*** salv-orlando has joined #openstack-kuryr20:47
*** salv-orlando has quit IRC21:00
*** salv-orlando has joined #openstack-kuryr21:30
*** banix has quit IRC21:48
*** salv-orl_ has joined #openstack-kuryr22:06
*** salv-orlando has quit IRC22:09
« Monday, 2016-01-25 Index Wednesday, 2016-01-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!