Tuesday, 2015-10-20

« Monday, 2015-10-19 Index Wednesday, 2015-10-21 »
*** salv-orlando has quit IRC00:17
*** gangil has quit IRC00:25
*** roger has quit IRC00:32
*** shettyg has joined #openstack-neutron-ovn00:33
*** chandrav has quit IRC00:35
*** armax has quit IRC00:37
*** armax has joined #openstack-neutron-ovn00:41
*** asuvvari has joined #openstack-neutron-ovn00:51
*** asuvvari has quit IRC00:56
*** chandrav has joined #openstack-neutron-ovn01:12
*** yamamoto has quit IRC01:12
*** yamamoto has joined #openstack-neutron-ovn01:50
*** azbiswas has joined #openstack-neutron-ovn02:00
*** armax has quit IRC02:25
*** salv-orlando has joined #openstack-neutron-ovn02:34
*** salv-orlando has quit IRC02:55
*** chandrav has quit IRC02:57
*** chandrav has joined #openstack-neutron-ovn02:58
*** azbiswas has quit IRC02:59
*** azbiswas has joined #openstack-neutron-ovn02:59
*** azbiswas has quit IRC03:03
*** shettyg has quit IRC03:17
*** armax has joined #openstack-neutron-ovn03:21
*** salv-orlando has joined #openstack-neutron-ovn03:22
*** chandrav has quit IRC03:27
*** salv-orlando has quit IRC03:29
*** subscope has joined #openstack-neutron-ovn03:42
*** azbiswas has joined #openstack-neutron-ovn03:48
*** azbiswas_ has joined #openstack-neutron-ovn03:55
*** azbiswas has quit IRC03:57
*** armax has quit IRC04:33
*** salv-orlando has joined #openstack-neutron-ovn04:44
*** salv-orlando has quit IRC04:56
*** salv-orlando has joined #openstack-neutron-ovn05:23
*** salv-orl_ has joined #openstack-neutron-ovn05:31
*** salv-orlando has quit IRC05:34
*** gizmoguy has quit IRC05:35
*** gangil has joined #openstack-neutron-ovn05:55
*** gangil has joined #openstack-neutron-ovn05:55
*** fzdarsky__ has joined #openstack-neutron-ovn07:01
*** openstackgerrit has quit IRC07:46
*** openstackgerrit has joined #openstack-neutron-ovn07:47
*** salv-orl_ has quit IRC07:56
*** salv-orlando has joined #openstack-neutron-ovn08:01
*** salv-orlando has quit IRC08:05
*** salv-orlando has joined #openstack-neutron-ovn08:05
*** azbiswas_ has quit IRC08:08
*** azbiswas has joined #openstack-neutron-ovn08:39
*** frickler has quit IRC09:05
*** subscope has quit IRC10:10
*** subscope has joined #openstack-neutron-ovn10:12
*** subscope has quit IRC10:13
*** asuvvari has joined #openstack-neutron-ovn10:15
*** asuvvari has quit IRC10:20
*** gangil has quit IRC10:55
*** yamamoto has quit IRC11:24
*** salv-orl_ has joined #openstack-neutron-ovn11:31
*** salv-orlando has quit IRC11:34
*** salv-orl_ has quit IRC11:44
*** salv-orlando has joined #openstack-neutron-ovn11:45
*** fzdarsky__ is now known as fzdarsky11:58
*** yamamoto has joined #openstack-neutron-ovn12:20
*** yamamoto has quit IRC12:29
*** yamamoto has joined #openstack-neutron-ovn12:58
*** regXboi has joined #openstack-neutron-ovn13:03
*** azbiswas has quit IRC13:10
*** azbiswas has joined #openstack-neutron-ovn13:11
*** yamamoto has quit IRC13:27
*** yamamoto has joined #openstack-neutron-ovn13:40
*** nate_gone is now known as njohnston13:42
*** armax has joined #openstack-neutron-ovn13:49
ajorussellb, when you're around,13:56
ajocould you dump me the flows of the bridge you use in OVN, with security groups?13:56
ajoI want to check a few things, and I'd like to think about QoS with OVN structure in mind too13:56
ajolots of OvS / linux thinkering lately..13:57
ajoswitchcade ^ ;)13:57
russellbajo: http://paste.openstack.org/show/476870/13:58
russellbhappened to have it handy13:58
russellbtrying to get this all working in the tempest job13:58
russellbworks locally >_<13:58
ajosudo ovs-vsctl show ; sudo ovs-ofctl show <bridge> ; sudo ovs-ofctl dump-flows <bridge>13:58
ajoahh13:58
ajothanks, let me look13:58
russellbi guess you need to know which ports are which13:58
ajothe ovs-ofctl show helps me understand which port is which13:59
*** mestery has joined #openstack-neutron-ovn13:59
ajocome'on paste.openstack, serve to meeee!13:59
russellbhttp://paste.openstack.org/show/476871/13:59
ajorussellb++13:59
ajosuper thanks13:59
russellbnp14:00
russellbnow to figure out which is which, even with that, heh14:00
russellbofport 29 is probably my VM14:00
russellbwhich has the security group applied14:00
ajorussellb: neutron meeting :)14:01
russellbah yes14:01
russellbajo: http://paste.openstack.org/show/476872/14:02
russellbnow with logical flows too14:02
ajorussellb++14:02
ajosuper super thanks14:02
russellbcan you share with kuba too?14:03
russellbhe was asking yesterday14:03
*** shettyg has joined #openstack-neutron-ovn14:03
russellbor i guess i can14:03
*** asuvvari has joined #openstack-neutron-ovn14:43
*** yamamoto has quit IRC15:04
openstackgerritRussell Bryant proposed openstack/networking-ovn: Add security group support using OVN ACLs.  https://review.openstack.org/22381715:06
openstackgerritRussell Bryant proposed openstack/networking-ovn: Don't log error on expected condition.  https://review.openstack.org/23762315:06
russellbneed one more review on this quick fix https://review.openstack.org/#/c/237623/115:07
gsagiedone15:12
russellbgsagie: thanks!15:13
*** flaviof has quit IRC15:13
*** flaviof has joined #openstack-neutron-ovn15:15
openstackgerritRussell Bryant proposed openstack/networking-ovn: support OVN NB Logical Router name Update.  https://review.openstack.org/23706915:15
*** yamamoto has joined #openstack-neutron-ovn15:16
*** salv-orlando has quit IRC15:18
*** azbiswas has quit IRC15:25
*** azbiswas has joined #openstack-neutron-ovn15:25
*** yamamoto has quit IRC15:56
*** yamamoto has joined #openstack-neutron-ovn16:06
*** chandrav has joined #openstack-neutron-ovn16:06
*** salv-orlando has joined #openstack-neutron-ovn16:20
*** salv-orlando has quit IRC16:25
*** gangil has joined #openstack-neutron-ovn16:47
*** gangil has joined #openstack-neutron-ovn16:47
russellbgsagie: still around?  https://review.openstack.org/#/c/237069/3 passed16:56
*** yamamoto has quit IRC17:02
switchcadeajo: neat demo :)17:10
ajoswitchcade, thanks, I cleaned it up a lot, it was a bit messy, and got updated :D17:10
ajoswitchcade, but I'm bad communicating, my video is boring :D17:11
switchcadeah, it seems to nail exactly which commands you need to apply this, and pretty good visual with nload.17:12
switchcadeI only wish Vimeo had a speedup feature like youtube does.17:13
* russellb having trouble with dhcp with security groups on :/17:13
switchcade(where you can play any video at 1.5x speed)17:13
russellbstill digging into it though17:13
russellball of my tests before applied the security group after the VM came up (and got its address via DHCP)17:13
russellbat least i'm narrowing in on why things are blowing up17:14
russellbyep, confirmed17:18
russellbWELL THEN17:19
russellbthat only took me a day and half17:19
russellbswitchcade: that's something you'd expect to work, right?17:20
russellbi have a from-lport ACL that says allow all output IP traffic (and related return traffic)17:20
russellbfrom-lport  1002 (inport == "380de133-796a-4a6c-8583-c31702a2752e" && ip4) allow-related17:20
openstackgerritMerged openstack/networking-ovn: Don't log error on expected condition.  https://review.openstack.org/23762317:22
*** salv-orlando has joined #openstack-neutron-ovn17:24
*** salv-orlando has quit IRC17:24
*** salv-orlando has joined #openstack-neutron-ovn17:25
russellb... and yep, changing security group to allow all incoming and outgoing IPv4 works17:28
switchcadehmm, so DHCP requires l3 broadcast I guess?17:28
russellbyeah17:28
switchcadeI can't say I've tried something like that with the connection tracker before, so I'm not exactly sure how it would be tracked17:29
russellbi can probably hardcode a "fix" (dirty hack that makes me feel bad as a person)17:29
russellbyeah i don't know either :)17:29
switchcadeI suspect the right answer is that you don't connection track it17:30
*** gangil has quit IRC17:30
switchcadelet's see, source=0.0.0.0, dst=255.255.255.25517:30
russellbin the interest of "omg make this work as fast as possible", i can hardcode some default ACLs in our plugin that allow the DHCP UDP port numbers through17:30
switchcadeI think that's the most prudent.17:31
russellbk :)17:31
russellbbut fyi, we'll probably have to revisit this under less time pressure :)17:31
switchcadeoh, for sure. I think I've heard DHCP mentioned as a separate item before.17:32
russellbyes, we were going to do some native DHCP support in OVN17:32
russellbright now we use a Python agent that Neutron has, that spins up dnsmasq processes for each network17:32
russellband it shows up on the network as another port17:33
russellbgets the job done ...17:33
switchcadeI see.17:33
switchcadeyeah, I think the "allow-related" directionality is probably not particularly compatible with a protocol that broadcasts requests and responses and uses different source addresses..17:34
switchcadeI wonder if there's such a concept as applying stateful ACLs to DHCP in iptables-land17:35
russellbi wonder how this works in neutron today ...17:35
russellbajo: do you know off hand?17:35
* russellb hesitant to go too far down the rabbit hole of trying to find out this minute17:35
switchcadeeither way, something we can look at with more detail when Tokyo isn't next week:)17:35
* switchcade agrees17:36
russellbagree17:36
* russellb does dirty hack17:36
*** gangil has joined #openstack-neutron-ovn17:36
*** gangil has joined #openstack-neutron-ovn17:36
*** asuvvari has quit IRC17:50
*** asuvvari has joined #openstack-neutron-ovn17:50
*** asuvvari has quit IRC17:55
* russellb confesses his sins ... to-lport 1002 (outport == "8d64160a-e55a-4693-b0e8-cc1aaabe027b" && ip4 && udp && (udp.src == {67,68} || udp.dst == {67,68})) allow-related17:58
russellbswitchcade: that fixed it17:59
russellb"fixed"...17:59
russellb:)17:59
*** yamamoto has joined #openstack-neutron-ovn18:03
russellbin other news, <3 the powerful / easy ACL syntax18:03
*** azbiswas has quit IRC18:04
*** carl_baldwin has joined #openstack-neutron-ovn18:05
*** yamamoto has quit IRC18:08
openstackgerritRussell Bryant proposed openstack/networking-ovn: Add security group support using OVN ACLs.  https://review.openstack.org/22381718:09
*** gangil1 has joined #openstack-neutron-ovn18:11
*** gangil has quit IRC18:11
switchcaderussellb: Jury's out on the cardinality of that sin ;)18:13
*** asuvvari has joined #openstack-neutron-ovn18:14
*** carl_baldwin has quit IRC18:18
*** carl_baldwin has joined #openstack-neutron-ovn18:19
*** flaviof_ has joined #openstack-neutron-ovn18:32
*** gsagie_ has joined #openstack-neutron-ovn18:34
*** flaviof has quit IRC18:35
*** gsagie_ has quit IRC18:44
*** carl_baldwin has quit IRC18:46
*** carl_baldwin has joined #openstack-neutron-ovn18:49
*** thumpba has joined #openstack-neutron-ovn19:09
*** armax has quit IRC19:10
russellbswitchcade: i swear that fix worked for me locally, but i'm still seeing failures because of VMs not getting DHCP responses :(19:16
*** azbiswas has joined #openstack-neutron-ovn19:17
*** salv-orlando has quit IRC19:23
switchcaderussellb: I really do wonder if the connection tracker is still interfering19:34
russellbswitchcade: yeah...19:34
switchcadeI don't think there's actually a "bypass conntrack" pipeline19:34
russellbswitchcade: let's go to #openvswitch actually, i was just talking about it there too19:34
switchcadeoh, sure.,19:34
openstackgerritRussell Bryant proposed openstack/networking-ovn: Add security group support using OVN ACLs.  https://review.openstack.org/22381719:36
*** chandrav has quit IRC19:37
*** chandrav has joined #openstack-neutron-ovn19:39
russellbchandrav: hey, how are things going?19:39
openstackgerritMerged openstack/networking-ovn: support OVN NB Logical Router name Update.  https://review.openstack.org/23706919:40
chandravrussellb: We faced one issue when the delete router interface request comes with only subnet id and not the port id19:41
*** BB has joined #openstack-neutron-ovn19:41
chandravthere is no easy way of finding the port id with the current schema19:42
chandravso we duplicated the code from neutron. so that seems to be working now19:42
russellbOK, sure, whatever works :)19:42
russellbwe can stash stuff as external_ids on the OVN schema, but doesn't sound like that would help here19:43
chandravthere is also some test cases which test multiple prefixes on the same port, meaning one router interface will carry many subnets19:43
chandravthese tests seem to be failing in tempest19:43
chandravyet to get to the root of the problem19:43
russellbOK, if you have to, we can disable some tests in devstack/devstackgaterc temporarily19:44
russellbif some basic cases seem to work19:44
chandravyeah, i think most of the test cases pass.19:45
chandravthe current failures i am seeing in my setup are the following19:45
chandravtest_dualnet_multi_prefix_dhcpv6_stateless19:45
russellbi've got my fingers crossed on wrapping up security groups today, but i said that yesterday too ... after that i can help more19:45
chandravtest_dualnet_multi_prefix_slaac19:46
russellbchandrav: I think IPv6 is still a WIP for OVN's L3 support, actually19:46
russellbso maybe we should just disable all the IPv6 tests for the moment19:46
chandravactually i have a total of 15 tests that are failing, most of them might not be related to ours19:46
russellbwe'll have to double check the status with blp in #openvswitch19:46
chandravyes19:46
chandravi'll run through these test cases and make sure our code is not breaking them19:47
russellbgreat19:47
russellbrussellb> blp: so, OVN L3 IPv6, still a WIP, right?19:47
russellb<blp> russellb: Yes.  Justin is working on it.19:47
russellb<russellb> k, just making sure i didn't miss something, thx19:47
chandravnp19:48
*** armax has joined #openstack-neutron-ovn19:49
openstackgerritRussell Bryant proposed openstack/networking-ovn: Add security group support using OVN ACLs.  https://review.openstack.org/22381719:51
*** thumpba has quit IRC19:56
*** salv-orlando has joined #openstack-neutron-ovn20:05
*** gangil1 has quit IRC20:23
*** gizmoguy has joined #openstack-neutron-ovn20:26
*** gangil has joined #openstack-neutron-ovn20:30
*** gangil has joined #openstack-neutron-ovn20:30
*** fzdarsky has quit IRC20:56
*** regXboi has quit IRC21:03
*** jimchou has joined #openstack-neutron-ovn21:16
*** chandrav has quit IRC21:28
*** chandrav has joined #openstack-neutron-ovn21:28
*** salv-orlando has quit IRC21:33
*** salv-orlando has joined #openstack-neutron-ovn21:34
*** shettyg has quit IRC22:07
*** armax has quit IRC22:19
*** asuvvari has quit IRC22:34
*** asuvvari has joined #openstack-neutron-ovn22:35
*** asuvvari has quit IRC22:39
*** jimchou_ has joined #openstack-neutron-ovn22:43
*** jimchou has quit IRC22:44
*** jimchou_ has quit IRC22:48
*** salv-orlando has quit IRC23:06
*** armax has joined #openstack-neutron-ovn23:22
*** flaviof_ is now known as flaviof23:26
*** azbiswas has quit IRC23:28
*** yamamoto has joined #openstack-neutron-ovn23:28
*** azbiswas has joined #openstack-neutron-ovn23:28
*** azbiswas has quit IRC23:33
*** jimchou has joined #openstack-neutron-ovn23:34
*** yamamoto has quit IRC23:34
*** jimchou has quit IRC23:39
« Monday, 2015-10-19 Index Wednesday, 2015-10-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!