| *** hongbin has joined #openstack-kuryr | 01:39 | |
| *** kiseok7 has quit IRC | 02:35 | |
| *** hongbin has quit IRC | 04:09 | |
| *** janki has joined #openstack-kuryr | 05:38 | |
| *** pcaruana has joined #openstack-kuryr | 06:07 | |
| ltomasbo | good morning irenab | 06:30 |
|---|---|---|
| *** gcheresh_ has joined #openstack-kuryr | 06:35 | |
| irenab | ltomasbo, good morning | 07:06 |
| ltomasbo | good morning! I'm taking a look at your comments on https://review.openstack.org/#/c/581421/21 | 07:07 |
| ltomasbo | I replied to a couple of them, but wanted to discuss possible solutions for the lbaas driver functions names | 07:07 |
| irenab | a sec, taking a look on your replies | 07:08 |
| ltomasbo | irenab, do you feel it will be enough to add a fixme note about removing the lbaasv2 specific methos (once we drop support for it) and rename the xxx_octavia one? | 07:08 |
| ltomasbo | irenab, or do you think it will be better to rename then already with a different name, for instance, I can change the xxx_lbaasv2 one as: | 07:09 |
| ltomasbo | _ensure_lb_security_group_rule | 07:09 |
| ltomasbo | and the octavia one as: | 07:09 |
| ltomasbo | _extend_lb_security_group_rules | 07:09 |
| *** ajo has joined #openstack-kuryr | 07:09 | |
| ltomasbo | or actually a merge of the two approaches | 07:10 |
| irenab | ltomasbo, second option is better imho. It would be good if there was not the type specific check in the v2 driver | 07:12 |
| ltomasbo | yep, I already removed that | 07:13 |
| ltomasbo | and changed it to ClusterIP and out of that function | 07:13 |
| ltomasbo | ok, I'll go for option 2, I'll send a new patch soon-ish | 07:14 |
| ltomasbo | thanks! | 07:14 |
| irenab | thank you! | 07:15 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add namespace isolation for services https://review.openstack.org/581421 | 07:28 |
| ltomasbo | irenab, done! ^^ | 07:28 |
| irenab | ltomasbo, much better, waiting for the CI | 07:34 |
| ltomasbo | great! | 07:34 |
| dulek | celebdor[m]: Hi! This looks a bit bad, isn't it: http://logs.openstack.org/21/581421/22/check/kuryr-kubernetes-tempest-daemon-openshift-octavia/6818168/job-output.txt.gz#_2018-08-06_08_10_20_690322 ? | 09:06 |
| dulek | celebdor[m]: I'll just go and add sudo there now. | 09:06 |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: Add sudo for OpenShift registry CA cert copy https://review.openstack.org/589084 | 09:09 |
| dulek | ltomasbo: http://logs.openstack.org/21/581421/22/experimental/kuryr-kubernetes-tempest-daemon-containerized-octavia-namespace/ad538cb/controller/logs/kubernetes/pod_logs/kube-system-kuryr-controller-7db7c944fb-7pwn6.txt.gz#_2018-08-06_08_50_22_709 | 09:11 |
| openstackgerrit | Daniel Mellado proposed openstack/kuryr-kubernetes master: Implement NP SG create/delete actions https://review.openstack.org/583540 | 09:36 |
| dmellado | irenab: could you have a look at ^` | 09:37 |
| dmellado | thanks! | 09:37 |
| dmellado | ltomasbo: dulek celebdor[m] feel free to review it as well xD | 09:37 |
| irenab | dmellado, sure | 09:38 |
| irenab | asap | 09:38 |
| dmellado | irenab: thanks!, it's a wip for now, as I intend to do follow-up patches on this | 09:38 |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: Add sudo for OpenShift registry CA cert copy https://review.openstack.org/589084 | 10:30 |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: WIP: Add HA gate https://review.openstack.org/588223 | 10:52 |
| irenab | dmellado, I won't be able to attend the call on SRIOV today due to some personal stuff | 11:03 |
| dmellado | irenab: no worries, I'm also a li'l bit feverish so I might have dulek cover that for me | 11:03 |
| dmellado | irenab: in any case we'll get to discuss it in some follow-ups | 11:04 |
| dmellado | AlexeyPerevalov: ^^ FYI | 11:04 |
| irenab | dmellado, this would be great | 11:04 |
| dulek | dmellado: If celebdor[m] is also not going to join we might want to reschedule it. | 11:04 |
| dmellado | dulek: celebdor[m] told me he'd make it but might be some minutes late | 11:04 |
| dmellado | irenab: would it be ok for you any other day this week? | 11:04 |
| irenab | yes, both Wed and Thu | 11:05 |
| irenab | and Tue | 11:05 |
| dmellado | let's it make tentative to Wed if by any chance there's no quorum today | 11:05 |
| irenab | but do not hold it if only I cannot make it today, I will follow up | 11:06 |
| irenab | dmellado, +1 | 11:06 |
| dmellado | dulek: irenab rescheduling this then for Wed then | 11:10 |
| dmellado | dulek: now you'd just have to handle the usual meeting, thanks in any case ;) | 11:10 |
| irenab | dmellado, possible one hour earlier, 15:00 CET? | 11:11 |
| dmellado | irenab: sure, no problems from my side | 11:11 |
| dmellado | done and invites sent ;) | 11:13 |
| AlexeyPerevalov | dmellado: I got email, thank you, it's convinient time ) | 11:21 |
| dmellado | awesome, glad to hear | 11:21 |
| *** rh-jelabarre has joined #openstack-kuryr | 11:33 | |
| *** maysams has joined #openstack-kuryr | 11:44 | |
| openstackgerrit | Daniel Mellado proposed openstack/kuryr-kubernetes master: Implement NP SG create/delete actions https://review.openstack.org/583540 | 12:14 |
| openstackgerrit | Genadi Chereshnya proposed openstack/kuryr-tempest-plugin master: Create service with unsupported type https://review.openstack.org/581337 | 12:49 |
| openstackgerrit | Genadi Chereshnya proposed openstack/kuryr-tempest-plugin master: Create service with UDP protocol https://review.openstack.org/585694 | 12:53 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add namespace isolation for services https://review.openstack.org/581421 | 13:10 |
| *** janki has quit IRC | 13:24 | |
| *** tzumainn has joined #openstack-kuryr | 13:37 | |
| *** kailun has joined #openstack-kuryr | 13:45 | |
| openstackgerrit | Emilio Garcia proposed openstack/kuryr-kubernetes master: Upstream kuryr Active Active High Availibility Development [Do Not Merge/Do Not Test] https://review.openstack.org/582992 | 13:48 |
| *** spotz has joined #openstack-kuryr | 14:08 | |
| *** celebdor has joined #openstack-kuryr | 14:17 | |
| celebdor | dulek: did the sudo help? | 14:36 |
| dulek | celebdor: https://review.openstack.org/#/c/589084/ - seems so. | 14:36 |
| celebdor | dulek: ltomasbo made a good suggestion | 14:43 |
| ltomasbo | xD | 14:43 |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: Add sudo for OpenShift registry CA cert copy https://review.openstack.org/589084 | 14:44 |
| dulek | ltomasbo: Thanks! :) | 14:44 |
| ltomasbo | yw! | 14:45 |
| *** dougbtv_ has quit IRC | 14:45 | |
| dmellado | celebdor: a really good summer one | 14:46 |
| celebdor | dmellado: good summer what? | 14:47 |
| dmellado | suggestion | 14:47 |
| dmellado | 'sudo' | 14:47 |
| dmellado | xD | 14:47 |
| celebdor | dmellado: merge Michał 's patch before the fever takes you down | 14:47 |
| celebdor | I can see that it already took your humor | 14:47 |
| celebdor | xD | 14:47 |
| ltomasbo | lol | 14:48 |
| dmellado | btw folks, I would appretiate reviews on https://review.openstack.org/#/c/583540/ | 14:48 |
| dmellado | with this, I go back to the shower/sofa | 14:48 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add namespace isolation for services https://review.openstack.org/581421 | 14:51 |
| *** gcheresh_ has quit IRC | 14:51 | |
| celebdor | dmellado: is NP=P | 14:53 |
| celebdor | ? | 14:53 |
| dmellado | celebdor: it depends | 14:54 |
| dmellado | if NP means "No Playa" I'm totally up for that now | 14:55 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure OpenShift gate uses the namespace subnet/sg drivers https://review.openstack.org/580680 | 14:58 |
| *** celebdor has quit IRC | 15:07 | |
| *** celebdor has joined #openstack-kuryr | 15:09 | |
| *** pcaruana has quit IRC | 15:12 | |
| *** janki has joined #openstack-kuryr | 15:17 | |
| ltomasbo | celebdor, irenab: finally passing the gates: https://review.openstack.org/#/c/581421 | 16:10 |
| celebdor | :-) | 16:13 |
| *** janki has quit IRC | 16:15 | |
| ltomasbo | celebdor, dulek: I have an issue I'm not sure how to solve | 16:36 |
| ltomasbo | celebdor, dulek: one of the tempest test (test_pod_pod_ping) is using a FIP to ping from one pod to another | 16:36 |
| ltomasbo | celebdor, dulek: with the namespace isolation feature that will not be allowed as I cannot add the public-subnet cidr into the security group as that is not meant to be known by the demo tenant | 16:38 |
| celebdor | and? | 16:38 |
| celebdor | FIPs should work | 16:38 |
| celebdor | cause that's how the loadbalancer service type works as well | 16:38 |
| celebdor | or does that work because it's an LB? | 16:38 |
| dulek | ltomasbo: Yep, FIP should be accessible from everywhere. | 16:38 |
| ltomasbo | loadbalancer subnet can ping pod subnet | 16:39 |
| ltomasbo | so, loadbalancer servie type is fine | 16:39 |
| ltomasbo | and I can curl/ping the pod ip as the access is from the kubelet | 16:40 |
| ltomasbo | kubelet-port | 16:40 |
| celebdor | didn't we decide to just make the public cidr configurable? | 16:40 |
| ltomasbo | really? | 16:40 |
| ltomasbo | we decided that we didn't need the public subnet id, and just the public network id is enough | 16:41 |
| ltomasbo | but security group rules don't take network id | 16:41 |
| ltomasbo | but cidr and that is not accessible from a demo tenant | 16:41 |
| ltomasbo | of course I can fix it on devstack deployment if that is find | 16:41 |
| ltomasbo | *fine | 16:41 |
| celebdor | ltomasbo: Correct me if I'm wrong, but I think horizon somehow gets the cidr | 16:42 |
| ltomasbo | really? | 16:42 |
| ltomasbo | let me see if it is on the extended version or something | 16:42 |
| ltomasbo | or simply not on the python-client | 16:42 |
| celebdor | ok | 16:45 |
| ltomasbo | I don't see where to get that information | 16:51 |
| ltomasbo | celebdor, from the neutron API it seems you can only get subnet id from the network object | 16:51 |
| *** hongbin has joined #openstack-kuryr | 16:52 | |
| celebdor | ltomasbo: ask on the neutron channel | 16:52 |
| celebdor | maybe they'll have an idea | 16:53 |
| celebdor | I'll be thinking about it too | 16:53 |
| ltomasbo | ok | 16:54 |
| ltomasbo | but I'm not sure why this is working by default usually, I may be missing something stupid | 16:54 |
| ltomasbo | celebdor, dulek actually, that is the same we have | 16:59 |
| celebdor | ltomasbo: what is? | 17:00 |
| ltomasbo | fips only work because we have a default sg enabling icmp and ssh from everywhere | 17:00 |
| ltomasbo | so, I guess I need to do the same (just with icmp) | 17:00 |
| ltomasbo | we will still have the isolation on the namespace, but ping will work between namespaces | 17:00 |
| dulek | ltomasbo: Hey, but we shouldn't really depend in Tempest tests on Default SG settings. It can be anything on other clouds. | 17:01 |
| dulek | ltomasbo: So I guess tests should set SG explicitly, but that seems troublesome with Kuryr's assumptions. | 17:02 |
| ltomasbo | dulek, I actually removed the default sg (that tempest depends on) if namespace feature is enabled | 17:03 |
| ltomasbo | but tempest plugging that accounts on FIP, will depend on the security groups applied to the ports always | 17:03 |
| ltomasbo | one option is to not use the fip to check pod to pod | 17:03 |
| celebdor | dulek: ltomasbo: that test should actually be testing pod to pod on the same k8s namespace | 17:03 |
| celebdor | and not using fip | 17:03 |
| ltomasbo | I agree | 17:04 |
| ltomasbo | and if l3 was the intention, it will be enough to have pod to pod in different namespace, one being the default one | 17:04 |
| ltomasbo | so, should I change the test instead then? | 17:04 |
| dulek | ltomasbo, celebdor: Yeah, for pod-pod it makes total sense. | 17:04 |
| ltomasbo | dulek, what make sense? not using the fip? | 17:05 |
| dulek | ltomasbo: Yup! | 17:05 |
| ltomasbo | ok, I'll update the tempest test then! | 17:05 |
| ltomasbo | thanks! | 17:06 |
| celebdor | ltomasbo: but IIRC there's VM to pod as well | 17:06 |
| celebdor | and the VM, again IIRC, is not running on the pod subnet | 17:06 |
| celebdor | but in that case, I'd say the test should just check the VM subnet cidr | 17:07 |
| ltomasbo | celebdor, but it is connected to the same router? | 17:07 |
| celebdor | and add access | 17:07 |
| celebdor | ltomasbo: I guess | 17:07 |
| celebdor | maybe it uses FIP | 17:07 |
| celebdor | I do not recall | 17:07 |
| celebdor | (but possible) | 17:07 |
| ltomasbo | I'll check | 17:07 |
| ltomasbo | pod to VM FIP will work | 17:07 |
| ltomasbo | as the VM-subnet will have the default security group with the icmp/ssh enabledf | 17:08 |
| ltomasbo | umm, it is pod->vm and vm->pod | 17:09 |
| ltomasbo | I wonder how that works... | 17:09 |
| ltomasbo | well, looking at the test I'm not sure is self.assertEqual('0', result.rstrip('\n')) is doing the right checking anyway | 17:12 |
| openstackgerrit | Merged openstack/kuryr-kubernetes master: Add sudo for OpenShift registry CA cert copy https://review.openstack.org/589084 | 17:15 |
| ltomasbo | ohhh | 17:20 |
| ltomasbo | my mistake | 17:20 |
| ltomasbo | I only added tcp to allow_from_default and allow_from_namespace | 17:20 |
| ltomasbo | I'll fix it to add icmp... | 17:20 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add namespace isolation for services https://review.openstack.org/581421 | 17:34 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure OpenShift gate uses the namespace subnet/sg drivers https://review.openstack.org/580680 | 17:34 |
| ltomasbo | dulek, celebdor ^^ now it should work even without changing the test | 17:35 |
| *** celebdor has quit IRC | 21:07 | |
| *** hongbin has quit IRC | 23:19 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!