Wednesday, 2021-06-23

« Tuesday, 2021-06-22 Index Thursday, 2021-06-24 »
opendevreviewBrian Haley proposed openstack/networking-ovn stable/train: Add Health Monitor support  https://review.opendev.org/c/openstack/networking-ovn/+/79606300:04
opendevreviewBrian Haley proposed openstack/networking-ovn stable/train: Add Health Monitor support  https://review.opendev.org/c/openstack/networking-ovn/+/79606300:29
kklimondaHi, I'm looking for some clarifications on vlan-based provider networks. how would networking configuration for that work, when interface is shared between tunnel interface (used by computes to communicate with each other) and "external" interface (the one that provider networks are connected to)?06:53
kklimondaI see two ways of doing that - adding an internal port to vswitchd, or adding a vlan interface directly on the interface managed by ovs (marked with "master ovs-system" in ip l output). I've actually tested the second approach and it works, the first one should also work in theory.06:55
*** rpittau|afk is now known as rpittau07:07
ralonsohlajoskatona, hi, can you rebase https://review.opendev.org/c/openstack/oslo.privsep/+/79499307:21
ralonsohand address the comments on https://review.opendev.org/c/openstack/neutron-specs/+/76733707:21
ralonsoh(I think the spec is almost ready)07:22
lajoskatonaralonsoh: sure, I am already started07:22
ralonsohperfect07:22
opendevreviewSlawek Kaplonski proposed openstack/neutron-tempest-plugin master: Fix required extensions for the subnet's service type API tests  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/79759407:39
opendevreviewRodolfo Alonso proposed openstack/neutron master: Sanitize MAC addresses  https://review.opendev.org/c/openstack/neutron/+/78983107:41
opendevreviewSlawek Kaplonski proposed openstack/neutron master: [OVN] Add subnet-service-types as supported by OVN mech driver  https://review.opendev.org/c/openstack/neutron/+/79759507:48
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use payloads for PORT BEFORE_UPDATE events  https://review.opendev.org/c/openstack/neutron/+/79596408:51
opendevreviewLajos Katona proposed openstack/networking-bgpvpn stable/train: [EM releases] Move non-voting jobs to the experimental queue  https://review.opendev.org/c/openstack/networking-bgpvpn/+/79647609:07
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use payloads for PORT BEFORE_UPDATE events  https://review.opendev.org/c/openstack/neutron/+/79596409:15
ralonsohslaweq, https://review.opendev.org/c/openstack/neutron/+/79705109:18
ralonsohgood catches, I'll propose a new PS now09:19
opendevreviewSlawek Kaplonski proposed openstack/neutron-tempest-plugin master: Fix required extensions for the subnet's service type API tests  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/79759409:20
slaweqralonsoh thx, sorry for catching it so late but I just though about it today when I was reviewing it :)09:21
ralonsohslaweq, that's ok and I'll propose changes for the other projects too09:21
slaweqralonsoh++ thx09:21
JohnnyWHi, just a question regarding neutron vpnaas functionality, I just upgraded all neutron controllers from rocky to stein and was doing verification of functionalities. I realized that when I'm creating new ipsec s2s connection it finally stays in status PENDING_CREATE even if it's working correctly, I mean I can connect from both sides correctly.09:54
JohnnyWUnfortunately this status is not changing even in several hours, it looks like it stays. I installed the newest package for stein(14.0.1 -> python3-neutron-vpnaas                 2:14.0.1-0ubuntu1~cloud0 ), I checked the strongswan logs from both sides and they're looking exactly the same(connection established/installed). Anyone observed something09:54
JohnnyWsimilar? Thanks in advance for info! :)09:54
opendevreviewRodolfo Alonso proposed openstack/neutron master: Make explicit the network backend used in the CI jobs  https://review.opendev.org/c/openstack/neutron/+/79705110:07
slaweqralonsoh can You maybe +W https://review.opendev.org/c/openstack/neutron/+/787691/ ?10:32
slaweqit already have +2 from You and haleyb :)10:32
opendevreviewSlawek Kaplonski proposed openstack/neutron master: DVR: Populate ARP entries of the allowed_address_pairs to the routers  https://review.opendev.org/c/openstack/neutron/+/60133610:37
ralonsohslaweq, let me check10:37
velizarxHey ralonsoh. I want to raise my question about RBAC bgpvpn implementation again. As I see we cannot initialize RBAC Object class for bgpvpn inside networking-bgpvpn repository because of this dinamic load (https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/neutron/db/rbac_db_models.py#L85). I've already tried to do this and it did not work. So my question, can I add RBACObject and RBAC database model to the10:42
velizarx main neutron repo?10:42
velizarxsorry :( it was old message c&p10:43
ralonsohvelizarx, did you import the module from networking_ggpvpn.neutron.services.plugin?10:43
velizarxworking on it now10:44
velizarxand testing10:44
ralonsohso what you did?10:44
velizarxralonsoh, my message above was a misclick, I've just sent the old message again, sorry. I'm trying to change the code as you mentioned and will let you know soon.10:47
ralonsohperfect10:48
velizarxI also wanna ask about this bug/feature https://bugs.launchpad.net/neutron/+bug/1933242 What was the main reason to do not add 'shared' field as other objects have?10:50
ralonsohvelizarx, you can share SGs using RBAC, the "shared" field was the old way to share objects10:54
ralonsohhaving RBACs, this field is not necessary10:54
ralonsohslaweq can provide better feedback, I think10:55
velizarxbut what if we have our own policy.json config? how we can show shared SG for special role? It's impossible without shared field10:57
ralonsohthen you need to change your policy file10:59
velizarxalready changed, please re-read the link https://bugs.launchpad.net/neutron/+bug/1933242 all the problem described there11:00
slaweqvelizarx I think those are 2 different things: one is "shared" attribute which is available for some resources, and then resource is shared with everyone always11:03
slaweqthat can be included in the policy11:03
slaweqand other thing is RBAC which allows You to share things with only some tenants11:03
slaweqand that is "independent" of policy file11:03
opendevreviewMerged openstack/ovn-octavia-provider master: Ensure that load balancer is added to logical switch  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/79609511:11
opendevreviewSlawek Kaplonski proposed openstack/neutron master: Remove tox_install_siblings=False from the functional job's definition  https://review.opendev.org/c/openstack/neutron/+/79762211:12
opendevreviewSlawek Kaplonski proposed openstack/neutron-lib master: Add Neutron's functional job to the neutron-lib's CI  https://review.opendev.org/c/openstack/neutron-lib/+/79728111:13
opendevreviewManu B proposed openstack/neutron-specs master: BGPaaS enhancements  https://review.opendev.org/c/openstack/neutron-specs/+/78379111:15
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use payloads for PORT AFTER_UPDATE events  https://review.opendev.org/c/openstack/neutron/+/79511711:33
velizarxslaweq, thx for explanation. My task is to share special SG to special projects, and the same time the users in those projects should not have 'admin' role. For subnetpools for example we use rule like "field:subnetpools:shared=True" and it works. For SG I cannot find a way how to do it.12:14
gregrakandeevy12:19
amotokivelizarx: I looked at the bug you mentioned. one question: why do you need to change the default policy of "get_security_group"?12:53
amotokivelizarx: if you would like to share a special SG to specific projects, I think what you need to do is just to configure RBAC of secgroups.12:54
amotokivelizarx: I wonder you have more requirements.12:54
velizarxamotoki, In our installation we use lots of roles for the users. And only users which have special role 'security_group_admin' should be able to manage them. Full our policy.json file https://github.com/sapcc/helm-charts/blob/master/openstack/neutron/templates/etc/_neutron-policy.json.tpl12:57
velizarxyes, I use RBAC, and rule is created, but the end-user cannot see shared SG because of policies. Because of policies cannot understand that the SG was shared.12:59
amotokivelizarx: what happens if you use the default policy for "get_security_group". If a normal user (I mean a user without the special role) cannot create a new security group or rule, such user can only see SG shared to a project the user belongs to.13:01
amotokivelizarx: I might be missing something though.13:01
opendevreviewRodolfo Alonso proposed openstack/os-vif master: Make explicit the network backend used in the CI jobs  https://review.opendev.org/c/openstack/os-vif/+/79764013:05
velizarxamotoki, not everyone in the projects should see the SGы. Should see only those have other special role 'securitygroup_viewer'. So our policy looks like: "get_security_group": "rule:context_is_securitygroup_viewer" (https://github.com/sapcc/helm-charts/blob/master/openstack/neutron/templates/etc/_neutron-policy.json.tpl#L152) 13:08
velizarxwe controls everything what the user can see/do in the project by our roles13:09
amotokivelizarx: so can only users who matches context_is_securitygroup_viewe use such security group?13:16
amotokivelizarx: or do you want users without special roles (role for management and role for view) to use a shared SG when creating a serverr or associating it to a port?13:17
velizarxyes, and only users who matches context_is_securitygroup_admin (role:security_group_admin underhood) can manage (create/delete/update) SGs13:17
velizarxthis is answer for first question :)13:18
amotokivelizarx: my first question is about visibility (not managablity)13:18
velizarxyes, only users which have 'viewer' role should use SGs13:19
velizarxnot everyone in the project13:19
velizarxthis is why we need to understand that SG was shared on the policy level also. Because for now the 'viewer' can see only own (created in this project) SGs13:21
amotokivelizarx: ack. what happens if you define a role like "sg_viewer" and allow only users with "sg_viewer" role in the policy?13:23
velizarxamotoki, in this case the users will not see 'shared' SGs (this is current problem)13:24
amotokivelizarx: with the default policy or your costomized policy?13:25
velizarxamotoki, with customized13:25
opendevreviewMerged openstack/ovn-octavia-provider stable/victoria: Ensure that load balancer is added to logical switch  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/79687713:26
amotokivelizarx: I am checking the default current behavior when project-A shares a resource to project-B.13:33
amotokivelizarx: and what happens in project-B in the default policy. I need to remember/check the current behavior for further advise.13:33
opendevreviewMerged openstack/ovn-octavia-provider stable/ussuri: Ensure that load balancer is added to logical switch  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/79687613:38
opendevreviewSlawek Kaplonski proposed openstack/neutron-lib master: Add Neutron's functional job to the neutron-lib's CI  https://review.opendev.org/c/openstack/neutron-lib/+/79728113:44
amotokivelizarx: I got the situation. I succeeded to reproduce it when disabling the old deprecated rules (enforce_new_defaults=True)13:47
amotokivelizarx: I will confirm the bug.13:47
velizarxamotoki, could you explain a bit where is a problem in the description of the bug? I can take the bug and try to fix it by myself.13:49
amotokivelizarx: sure. I will add a note on the bug.13:50
velizarxthank you for debugging 13:50
amotokislaweq: after checking the current behavior of RBAC (during the dsicussion with velizarx above), when set enforce_new_defaults=True, a SG shared via RBAC is NOT visible in a target project. Previously we did not hit it with the default policy but it will be a problem when we enforce new rules.13:51
amotokislaweq: above is just FYI. I will look into it more.13:51
opendevreviewSlawek Kaplonski proposed openstack/neutron-lib master: Add Neutron's functional job to the neutron-lib's CI  https://review.opendev.org/c/openstack/neutron-lib/+/79728113:52
slaweqamotoki thx, please open bug for that13:52
slaweqwe will probabably have more issues like that in the future13:52
amotokislaweq: the bug  is https://bugs.launchpad.net/neutron/+bug/193324213:53
amotokiI am adding a comment. I just would like to share it as it is related to secure rbac work.13:53
slaweqI'm now trying to get some API job to be running with enforced new defaults, but it's not really supported in devstack nor tempest yet13:53
slaweqso  it's not easy13:53
amotoki:(13:54
amotokivelizarx: I added a comment to the bug and it describes what I checked.14:04
opendevreviewSebastian Lohff proposed openstack/neutron master: Correctly label port as SubPort in SubPortNotFound  https://review.opendev.org/c/openstack/neutron/+/78870614:14
opendevreviewMerged openstack/ovn-octavia-provider stable/wallaby: Ensure that load balancer is added to logical switch  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/79683915:11
opendevreviewOleg Bondarev proposed openstack/neutron master: Improve Port list and show  https://review.opendev.org/c/openstack/neutron/+/79069115:24
opendevreviewTerry Wilson proposed openstack/networking-ovn stable/train: DNM, testing dsvm-functional-py27  https://review.opendev.org/c/openstack/networking-ovn/+/79768215:34
opendevreviewOleg Bondarev proposed openstack/neutron stable/wallaby: Improve Subnet create performance  https://review.opendev.org/c/openstack/neutron/+/79758815:35
opendevreviewOleg Bondarev proposed openstack/neutron stable/victoria: Improve Subnet create performance  https://review.opendev.org/c/openstack/neutron/+/79758915:36
opendevreviewOleg Bondarev proposed openstack/neutron stable/ussuri: Improve Subnet create performance  https://review.opendev.org/c/openstack/neutron/+/79759015:36
opendevreviewOleg Bondarev proposed openstack/neutron stable/train: Improve Subnet create performance  https://review.opendev.org/c/openstack/neutron/+/79759115:36
opendevreviewOleg Bondarev proposed openstack/neutron stable/wallaby: Improve Subnet delete performance  https://review.opendev.org/c/openstack/neutron/+/79759215:37
opendevreviewOleg Bondarev proposed openstack/neutron stable/victoria: Improve Subnet delete performance  https://review.opendev.org/c/openstack/neutron/+/79769315:38
opendevreviewOleg Bondarev proposed openstack/neutron stable/ussuri: Improve Subnet delete performance  https://review.opendev.org/c/openstack/neutron/+/79769515:39
opendevreviewOleg Bondarev proposed openstack/neutron stable/train: Improve Subnet delete performance  https://review.opendev.org/c/openstack/neutron/+/79769615:39
opendevreviewLajos Katona proposed openstack/neutron-specs master: BFD support for Neutron  https://review.opendev.org/c/openstack/neutron-specs/+/76733715:40
*** gthiemon1e is now known as gthiemonge15:49
opendevreviewMerged openstack/neutron master: [OVN] Disable mcast_flood on localnet ports  https://review.opendev.org/c/openstack/neutron/+/79741815:51
*** rpittau is now known as rpittau|afk16:08
opendevreviewTerry Wilson proposed openstack/networking-ovn stable/train: Use TCP keepalives for ovsdb connections  https://review.opendev.org/c/openstack/networking-ovn/+/79769216:10
opendevreviewTerry Wilson proposed openstack/networking-ovn stable/train: Use TCP keepalives for ovsdb connections  https://review.opendev.org/c/openstack/networking-ovn/+/79771416:14
opendevreviewTerry Wilson proposed openstack/networking-ovn stable/train: Use TCP keepalives for ovsdb connections  https://review.opendev.org/c/openstack/networking-ovn/+/79563316:15
opendevreviewRodolfo Alonso proposed openstack/neutron stable/train: Revert "Increase log information when a RootHelperProcess fails"  https://review.opendev.org/c/openstack/neutron/+/79770316:32
opendevreviewMerged openstack/neutron stable/wallaby: Make default hypervisor hostname compatible with libvirt  https://review.opendev.org/c/openstack/neutron/+/79685417:24
opendevreviewMerged openstack/neutron stable/victoria: Make default hypervisor hostname compatible with libvirt  https://review.opendev.org/c/openstack/neutron/+/79685517:32
opendevreviewMerged openstack/neutron stable/ussuri: Make default hypervisor hostname compatible with libvirt  https://review.opendev.org/c/openstack/neutron/+/79685617:32
opendevreviewMerged openstack/neutron stable/wallaby: Force to close http connection after notify about HA router status  https://review.opendev.org/c/openstack/neutron/+/79740718:43
opendevreviewMerged openstack/neutron stable/victoria: Force to close http connection after notify about HA router status  https://review.opendev.org/c/openstack/neutron/+/79740818:43
opendevreviewBrian Haley proposed openstack/networking-ovn stable/train: Add Health Monitor support  https://review.opendev.org/c/openstack/networking-ovn/+/79606318:55
opendevreviewMerged openstack/neutron stable/ussuri: Force to close http connection after notify about HA router status  https://review.opendev.org/c/openstack/neutron/+/79740919:00
opendevreviewMerged openstack/neutron stable/train: Force to close http connection after notify about HA router status  https://review.opendev.org/c/openstack/neutron/+/79741019:01
opendevreviewBrian Haley proposed openstack/networking-ovn stable/train: Add Health Monitor support  https://review.opendev.org/c/openstack/networking-ovn/+/79606319:17
opendevreviewBrian Haley proposed openstack/networking-ovn stable/train: Add Health Monitor support  https://review.opendev.org/c/openstack/networking-ovn/+/79606320:13
opendevreviewMerged openstack/neutron master: use callback payloads for SECURITY_GROUP_RULE  https://review.opendev.org/c/openstack/neutron/+/79289520:22
opendevreviewMerged openstack/neutron master: Config option to enable OVN IDL on other workers  https://review.opendev.org/c/openstack/neutron/+/79578120:23
opendevreviewMerged openstack/neutron stable/ussuri: Make phynet paramter also is optional when network_segment_range enabled  https://review.opendev.org/c/openstack/neutron/+/79527920:23
admin1hi guys .. for a network $uuid, which table in sql holds what dhcp agents are in which nodes 20:35
admin1found it \o/ 20:39
opendevreviewMerged openstack/neutron master: [ovn] Clean-up unused ACL method for DHCP  https://review.opendev.org/c/openstack/neutron/+/78977720:58
opendevreviewTerry Wilson proposed openstack/networking-ovn stable/train: Use TCP keepalives for ovsdb connections  https://review.opendev.org/c/openstack/networking-ovn/+/79563321:01
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use callback payloads for SUBNET  https://review.opendev.org/c/openstack/neutron/+/79601121:15
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use callback payloads for SECURITY_GROUP  https://review.opendev.org/c/openstack/neutron/+/67404421:17
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use payloads for PORT AFTER_UPDATE events  https://review.opendev.org/c/openstack/neutron/+/79511721:19
opendevreviewMamatisa Nurmatov proposed openstack/neutron master: use payloads for PORT AFTER_DELETE events  https://review.opendev.org/c/openstack/neutron/+/79700421:19
opendevreviewMerged openstack/neutron-specs master: L3 router support ndp proxy  https://review.opendev.org/c/openstack/neutron-specs/+/72862822:01
opendevreviewMerged openstack/neutron master: Bump neutron-lib to 2.12.0  https://review.opendev.org/c/openstack/neutron/+/79640422:37
« Tuesday, 2021-06-22 Index Thursday, 2021-06-24 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!