| openstackgerrit | Merged openstack/kuryr-kubernetes master: Removing lbaasv2 related code https://review.openstack.org/631261 | 00:13 |
|---|---|---|
| *** spsurya has quit IRC | 00:26 | |
| *** hongbin has joined #openstack-kuryr | 02:25 | |
| *** rh-jelabarre has quit IRC | 03:52 | |
| *** hongbin has quit IRC | 04:18 | |
| *** phuoc__ has quit IRC | 05:25 | |
| *** spsurya has joined #openstack-kuryr | 06:08 | |
| *** phuoc has joined #openstack-kuryr | 06:09 | |
| *** ccamposr has joined #openstack-kuryr | 06:53 | |
| *** yboaron_ has joined #openstack-kuryr | 06:55 | |
| *** ccamposr__ has joined #openstack-kuryr | 06:55 | |
| *** ccamposr has quit IRC | 06:58 | |
| *** aojea has joined #openstack-kuryr | 07:03 | |
| *** gcheresh has joined #openstack-kuryr | 07:08 | |
| *** aojea has quit IRC | 07:28 | |
| *** aojea has joined #openstack-kuryr | 07:29 | |
| *** aojea has quit IRC | 07:31 | |
| *** maysams has joined #openstack-kuryr | 07:42 | |
| *** gkadam has joined #openstack-kuryr | 08:22 | |
| *** celebdor has joined #openstack-kuryr | 08:27 | |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: Remove way of running without kuryr-daemon https://review.openstack.org/631278 | 09:29 |
| dulek | ltomasbo, celebdor: Rebased. ^ | 09:29 |
| ltomasbo | done | 09:36 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure host to pod connectivity for NP https://review.openstack.org/632503 | 09:45 |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: Fixup gate names after LBaaS v2 removal https://review.openstack.org/632674 | 09:51 |
| openstackgerrit | Yossi Boaron proposed openstack/kuryr-tempest-plugin master: Rerun test in a single thread if multi-thread failed https://review.openstack.org/632684 | 10:14 |
| celebdor | thanks dulek | 10:25 |
| celebdor | ltomasbo: could I get some more info on https://review.openstack.org/#/c/631781/ | 10:37 |
| *** pcaruana has joined #openstack-kuryr | 10:37 | |
| celebdor | the commit message is very poor on details | 10:37 |
| celebdor | about what the problem was | 10:37 |
| celebdor | and the commit message lines are not wrapped! | 10:37 |
| ltomasbo | celebdor, problem is 2 fold | 10:38 |
| ltomasbo | celebdor, the initial patch set was not fixing was it was intended to | 10:38 |
| celebdor | so did it fix something? | 10:38 |
| ltomasbo | celebdor, nop, it was actually removing extra rules that needed to be there | 10:38 |
| ltomasbo | celebdor, this is the redo of that patch: https://review.openstack.org/#/c/631587 | 10:39 |
| celebdor | and what's the second fold? | 10:40 |
| ltomasbo | celebdor, second part was that it deletes rules that needed to be there | 10:41 |
| ltomasbo | celebdor, thus breaking the NP support for svc | 10:41 |
| celebdor | I thought that was the first part | 10:41 |
| celebdor | ltomasbo: did you sync with maysams to sort out the misunderstanding? Cause it feels like at some point we were out of sync about how NP svcs work | 10:42 |
| ltomasbo | celebdor, yep, maysams and I were working on the same set of patch sets to fix the svc support | 10:43 |
| *** livelace has joined #openstack-kuryr | 10:43 | |
| celebdor | dulek: I managed to get you a review for https://review.openstack.org/#/c/626885/ | 10:43 |
| celebdor | but not with the expected result :P | 10:43 |
| ltomasbo | celebdor, problem was that we need each other reviews to be more sure that we cover all the cases... | 10:44 |
| maysams | ltomasbo, celebdor: Indeed. Is always better to have each other reviews | 10:44 |
| ltomasbo | celebdor, and test it, otherwise it is easy to miss corner cases (that was missing the case for multiple NPs) | 10:44 |
| ltomasbo | celebdor, maysams: so, to the best of my knowledge, the next steps are: | 10:45 |
| ltomasbo | 1) merging the revert | 10:45 |
| ltomasbo | 2) merging this: https://review.openstack.org/#/c/631230 | 10:46 |
| ltomasbo | 3) rebasing and merge https://review.openstack.org/#/c/631587 | 10:46 |
| ltomasbo | 4) rebasing, and maysams reviews on https://review.openstack.org/#/c/629856 | 10:46 |
| ltomasbo | ahh, and independently of such, reviewing ( celebdor and maysams) this: https://review.openstack.org/#/c/632503/ | 10:47 |
| ltomasbo | with this, we only have the bug that maysams filed about the target ports to handle | 10:47 |
| maysams | ltomasbo: we also have this one https://bugs.launchpad.net/kuryr-kubernetes/+bug/1810394 | 10:49 |
| openstack | Launchpad bug 1810394 in kuryr-kubernetes "CRD podSelector is not properly updated on NP update" [High,Triaged] - Assigned to Maysa de Macedo Souza (maysa) | 10:49 |
| maysams | but is not related to services | 10:49 |
| mrostecki | hey folks! did anyone see the following error recently? http://paste.openstack.org/show/743162/ | 10:50 |
| mrostecki | I'm using master devsstack and master kuryr-kubernetes | 10:50 |
| celebdor | ltomasbo: did you look into running kubernetes or openshift's NP tests? | 10:51 |
| ltomasbo | celebdor, I didn't yet | 10:51 |
| celebdor | mrostecki: Hi | 10:52 |
| * celebdor looking | 10:52 | |
| celebdor | oh, a devstack issue | 10:52 |
| celebdor | mrostecki: can you show us your local.conf? | 10:52 |
| celebdor | it is as if it missed octavia | 10:52 |
| celebdor | ltomasbo: btw, I had already reviewed https://review.openstack.org/#/c/632503/ | 10:53 |
| mrostecki | celebdor: I disabled octavia on purpose | 10:54 |
| mrostecki | celebdor: http://paste.opensuse.org/view/raw/42317126 | 10:54 |
| mrostecki | celebdor: so, the changes I made were 1) disabling octavia 2) disabling k8s services | 10:55 |
| mrostecki | and disabling etcd | 10:55 |
| mrostecki | I want to reuse my currently existing cluster | 10:55 |
| mrostecki | and I want to write my CNI config for kubelet later by hand ;) | 10:55 |
| celebdor | mrostecki: right | 10:56 |
| celebdor | right now devstack assumes there is either lbaasv2 (or was it removed yesterday) or octavia | 10:56 |
| celebdor | mrostecki: I would welcome a patch that checked if services are enabled in the handler and if they are not, that it would skip setting the LB stuff | 10:57 |
| celebdor | are you up for it? | 10:57 |
| mrostecki | celebdor: yes, I can try to do that | 10:57 |
| celebdor | cool | 10:58 |
| celebdor | thanks mrostecki! | 10:58 |
| celebdor | Trying it together with cillium? | 10:58 |
| mrostecki | yes. and months ago when I did that, disabling octavia didn't cause anny issues | 10:59 |
| mrostecki | but I guess that lbaasv2 was used instead | 10:59 |
| mrostecki | now I'm trying things again from scratch, because the PR for enabling cilium as a chained plugin was merged recenty | 11:00 |
| celebdor | exactly :-) | 11:00 |
| celebdor | but that path was removed yesterday | 11:00 |
| celebdor | after a long deprecation | 11:00 |
| celebdor | but didn't consider the no service approach | 11:01 |
| celebdor | sorry about that | 11:01 |
| mrostecki | damn, I should've start trying out kuryr on Monday, hahahah ;) | 11:01 |
| mrostecki | no problem | 11:02 |
| mrostecki | if I will hit any bigger issues with fixing devstack plugin, then I will maybe just enable octavia | 11:02 |
| ltomasbo | ping maysams: about your comment here: https://review.openstack.org/#/c/629856/8/kuryr_kubernetes/controller/drivers/lbaasv2.py | 11:11 |
| celebdor | mrostecki: ok. Please do let me know | 11:12 |
| celebdor | and I'll try to help | 11:12 |
| mrostecki | celebdor: so many things in the plugin depend on lb values. I think I will rather try to enable octavia | 11:28 |
| mrostecki | celebdor: and create a bug on launchpad to follow up later | 11:28 |
| mrostecki | with allowing to disable octavia without errors | 11:29 |
| celebdor | mrostecki: cool | 11:29 |
| celebdor | yeah, deploying with octavia and then just disabling the handler is probably the easiest way to go ahead with your stuff | 11:30 |
| celebdor | :-) | 11:30 |
| mrostecki | celebdor: diskimage-builder is still broken? should I use prefetched images? | 11:34 |
| celebdor | I don't remember | 11:35 |
| celebdor | ltomasbo: ^^ | 11:35 |
| ltomasbo | celebdor, I actually don't know, I always use the prefetched one | 11:37 |
| celebdor | mrostecki: safe to do the same then | 11:37 |
| maysams | ltomasbo: pong | 12:10 |
| ltomasbo | maysams, ping :) | 12:11 |
| ltomasbo | maysams, it was about your comment on https://review.openstack.org/#/c/629856/8/kuryr_kubernetes/controller/drivers/lbaasv2.py | 12:11 |
| ltomasbo | maysams, for the comment on lines 231-268, you mean if the pod (aka NP sg) has the default rule, just add a continue on after line 230, right? | 12:12 |
| maysams | yes | 12:13 |
| maysams | ltomasbo ^^ | 12:13 |
| ltomasbo | maysams, yep, that make sense and make me realize about other possible problem | 12:14 |
| maysams | tell me | 12:14 |
| ltomasbo | maysams, as for the comment on l276 | 12:14 |
| ltomasbo | maysams, we do need to have and 'and', right? | 12:14 |
| maysams | yes | 12:14 |
| maysams | wait.. I read it wrong | 12:15 |
| ltomasbo | we only remove those rules if we added some, and the rule is the default one | 12:15 |
| ltomasbo | if we didn't add any rule, and there was a default rule, we should not remove it | 12:15 |
| ltomasbo | maysams, ^^ | 12:15 |
| ltomasbo | maysams, and now what I realized, at line 284, we should do something different | 12:16 |
| ltomasbo | maysams, because just because one NP does not apply, we should not set the default listener rules (if there is any other NP that applies) | 12:17 |
| ltomasbo | right? | 12:17 |
| maysams | ltomasbo: I agree. Please, ignore that comment | 12:18 |
| ltomasbo | maysams, ok, and regarding the add_default rules if... what do you think? | 12:20 |
| ltomasbo | maysams, if there are different NPs applied to the pods/svc | 12:20 |
| ltomasbo | if one does not match the container, but the second one does, we should not add the default rules, right? | 12:21 |
| maysams | ltomasbo, I don't think we need to worry about this. Aren't we getting the sg applied to that specific service in here: | 12:24 |
| maysams | https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/drivers/network_policy_security_groups.py#L240 | 12:24 |
| ltomasbo | maysams, true | 12:26 |
| maysams | All the matching that needed to be done regarding NPs was done previously, and we only look to the sgs. | 12:26 |
| ltomasbo | maysams, so many peaces... | 12:26 |
| ltomasbo | maysams, but... one sec | 12:26 |
| ltomasbo | that will return the list of sgs, right? | 12:27 |
| maysams | ltomasbo, yes | 12:27 |
| ltomasbo | sg1 for NP1, sg2 for NP2 | 12:27 |
| maysams | ok | 12:27 |
| ltomasbo | ahh, ok, so the default SG will not be there... | 12:27 |
| ltomasbo | got it | 12:27 |
| ltomasbo | maysams, then, given that... shoud we instead of having a continue at line 230, simply have a break? | 12:28 |
| maysams | ltomasbo, just one sec | 12:32 |
| maysams | ltomasbo: I think we still need to create the rules in the LBaaS when we have the default sgs.. | 12:36 |
| maysams | ltomasbo: Its possible to have the default sgs returned in that method we were talking about | 12:37 |
| maysams | ltomasbo: due to this https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/drivers/network_policy_security_groups.py#L142 | 12:37 |
| maysams | ltomasbo: ahh, but we are adding out of the iteration, so it's ok to break :) | 12:39 |
| maysams | sry | 12:39 |
| *** rh-jelabarre has joined #openstack-kuryr | 12:45 | |
| dulek | Uh, seems like we have some requirements issue with os-resource-classes. I'm investigating that now. | 13:05 |
| dulek | Okay, looks like new version isn't showing up in infra's pypi mirror. Not much we can do. | 13:21 |
| livelace | celebdor, https://bugs.launchpad.net/kuryr-kubernetes/+bug/1813015 | 13:22 |
| openstack | Launchpad bug 1813015 in kuryr-kubernetes "Controller doesn't delete LB if wrong floating subnet was set in a Service" [Undecided,New] | 13:22 |
| celebdor | thakns livelace | 13:23 |
| celebdor | yboaron_: could you take a look at ^^ | 13:24 |
| *** livelace has quit IRC | 13:45 | |
| *** livelace has joined #openstack-kuryr | 13:49 | |
| yboaron_ | celebdor, Yep, I'll take care of that | 14:00 |
| celebdor | thanks yboaron_!!! | 14:01 |
| yboaron_ | livelace, Hi | 14:12 |
| yboaron_ | livelace, regarding https://bugs.launchpad.net/kuryr-kubernetes/+bug/1813015 , Could you please attach the K8S service manifest to the bug? | 14:13 |
| openstack | Launchpad bug 1813015 in kuryr-kubernetes "Controller doesn't delete LB if wrong floating subnet was set in a Service" [Undecided,New] - Assigned to Yossi Boaron (yossi-boaron-1234) | 14:13 |
| *** yboaron_ has quit IRC | 14:37 | |
| *** livelace has quit IRC | 14:58 | |
| *** aojea_ has joined #openstack-kuryr | 15:12 | |
| *** aojea_ has quit IRC | 15:31 | |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Fix CRD update when NP has namespaceSelectors https://review.openstack.org/631230 | 16:07 |
| dulek | ltomasbo: Oh my, +400 lines in a bugfix? :D ^ | 16:10 |
| ltomasbo | dulek, /o\ | 16:10 |
| ltomasbo | dulek, yep, but it was because the functionality code ended up in the wrong driver | 16:11 |
| ltomasbo | dulek, so it is pretty much moving it from one to the other | 16:11 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Revert "Ensure reaction to svc target-port update" https://review.openstack.org/631781 | 16:11 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure lb sg rules are not deleted when adding members https://review.openstack.org/631587 | 16:11 |
| dulek | ltomasbo: Well, hard stuff is difficult to get right immediately. ;) | 16:11 |
| ltomasbo | dulek, now that you are here, I rebased this one and lost +W: https://review.openstack.org/#/c/631781/ | 16:12 |
| ltomasbo | dulek, can you add it back | 16:12 |
| dulek | ltomasbo: Done. | 16:13 |
| ltomasbo | thanks! | 16:13 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure lb sg rules are not deleted when adding members https://review.openstack.org/631587 | 16:15 |
| openstackgerrit | Yossi Boaron proposed openstack/kuryr-kubernetes master: Handle exception raised in FIP allocation https://review.openstack.org/632772 | 16:15 |
| *** gcheresh has quit IRC | 16:21 | |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure NP changes are applied to services https://review.openstack.org/629856 | 16:31 |
| *** livelace has joined #openstack-kuryr | 16:37 | |
| *** ccamposr__ has quit IRC | 16:41 | |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure host to pod connectivity for NP https://review.openstack.org/632503 | 16:44 |
| dulek | ltomasbo: I'm looking at https://review.openstack.org/#/c/632503. | 16:59 |
| dulek | ltomasbo: Is the current approach that SG's are provided by SG driver and all the rules are casually added by NP driver? | 17:00 |
| openstackgerrit | Luis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Ensure NP changes are applied to services https://review.openstack.org/629856 | 17:03 |
| ltomasbo | dulek, yep, SG driver is returning the SG associated to pods/services | 17:03 |
| ltomasbo | dulek, and the NP driver is in charge of adding the needed rules | 17:04 |
| ltomasbo | dulek, or the lbaas one for the loadbalancers | 17:04 |
| dulek | ltomasbo: "sg = self.neutron.create_security_group(body=security_group_body)" - seems like it also creates the SG… | 17:04 |
| dulek | ltomasbo: I'm a bit puzzled about what are the responsibilities of each piece. | 17:05 |
| dulek | ltomasbo: In perfect world SG operations would happen only in SG driver, right? | 17:05 |
| ltomasbo | SG driver is not creating the SGs actually, it is returning the information about the ones assigned to each resource | 17:05 |
| ltomasbo | well, to make that happen, we will need to make drivers aware of each other | 17:06 |
| ltomasbo | and/or move a lot of the functionality from drivers to handlers | 17:07 |
| dulek | ltomasbo: Can you provide an example why? Just so I understand the complexity here. | 17:07 |
| ltomasbo | in my view, separation is, handlers to the kubernetes event, and then use the drivers to create the openstack resources | 17:08 |
| dulek | ltomasbo: Hm, yeah, I get this. I'd rather have less code in drivers and more in handlers, but I don't think I have any arguments besides gut feeling, so I might be totally wrong with that. | 17:08 |
| dulek | ltomasbo: Yeah, that's my understanding as well. | 17:08 |
| dulek | ltomasbo: That's why I'm puzzled on network_policy driver as there is no such OpenStack resource. :P | 17:09 |
| ltomasbo | perhaps it is time to reorganize the code too... since it is getting a bit to match linked with that many options | 17:09 |
| ltomasbo | problem is that, network policy driver is using the network policy sg drvier to get the security groups associated to the pods and services | 17:09 |
| ltomasbo | then it is doing some actions, but at the same time, the lbaasV2 driver is the one in charge of handling the security groups for the services | 17:10 |
| ltomasbo | and then, at the same time, NPs needs namespace functionality (not the isolation though) to create the different subnets per namespace | 17:10 |
| ltomasbo | I guess the main thing is that SG/SG_rules creation/deletion may happen at different events (namespace creation, service creation, pod creation, network_policy creation, and the respective updates/deletion) | 17:13 |
| ltomasbo | dulek, ^^ | 17:13 |
| dulek | ltomasbo: Uh, yeah… We'd need to pass all those resources state into SG driver for it to calculate what to do. | 17:13 |
| dulek | ltomasbo: BTW - why do we do subnet per namespace for NP? | 17:14 |
| ltomasbo | when you create a network policy, its scope is the namespace in which it is created | 17:14 |
| ltomasbo | and we are using the subnet CIDR to reduce the crazyness of security group rules | 17:14 |
| dulek | ltomasbo: Ooooh, good. | 17:14 |
| *** gkadam has quit IRC | 17:29 | |
| *** maysams has quit IRC | 17:43 | |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: Enable debug logs on Kubernetes services https://review.openstack.org/626609 | 18:09 |
| openstackgerrit | Michał Dulko proposed openstack/kuryr-kubernetes master: DNM: Save etcd metrics https://review.openstack.org/631506 | 18:10 |
| *** aojea has joined #openstack-kuryr | 18:27 | |
| *** aojea has quit IRC | 18:29 | |
| *** celebdor has quit IRC | 18:30 | |
| *** aojea has joined #openstack-kuryr | 18:30 | |
| *** spsurya has quit IRC | 19:55 | |
| *** aojea has quit IRC | 20:03 | |
| *** aojea has joined #openstack-kuryr | 20:04 | |
| *** celebdor has joined #openstack-kuryr | 20:36 | |
| openstackgerrit | Yossi Boaron proposed openstack/kuryr-kubernetes master: Handle exception raised in FIP allocation https://review.openstack.org/632772 | 20:48 |
| *** aojea_ has joined #openstack-kuryr | 21:27 | |
| *** aojea has quit IRC | 21:28 | |
| *** livelace has quit IRC | 21:32 | |
| *** mrostecki has quit IRC | 22:19 | |
| *** mrostecki has joined #openstack-kuryr | 22:23 | |
| openstackgerrit | Merged openstack/kuryr-kubernetes master: Fix CRD update when NP has namespaceSelectors https://review.openstack.org/631230 | 22:36 |
| *** mrostecki has quit IRC | 22:37 | |
| *** mrostecki has joined #openstack-kuryr | 22:43 | |
| *** mrostecki has quit IRC | 22:51 | |
| *** mrostecki has joined #openstack-kuryr | 22:56 | |
| *** aojea_ has quit IRC | 23:13 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!