Thursday, 2024-03-07

« Wednesday, 2024-03-06 Index Friday, 2024-03-08 »
opendevreviewMerged openstack/neutron master: Exclude files from coverage check, improve overall result  https://review.opendev.org/c/openstack/neutron/+/91096800:47
opendevreviewLiushy proposed openstack/neutron master: [OVN] Support address group for ovn driver  https://review.opendev.org/c/openstack/neutron/+/85150903:50
opendevreviewLiushy proposed openstack/neutron master: [OVN] Support address group for ovn driver  https://review.opendev.org/c/openstack/neutron/+/85150907:11
opendevreviewLiushy proposed openstack/neutron master: [OVN] Support address group for ovn driver  https://review.opendev.org/c/openstack/neutron/+/85150907:22
opendevreviewRodolfo Alonso proposed openstack/neutron master: [FT] Group "functional.agent.l3" tests in the same executor  https://review.opendev.org/c/openstack/neutron/+/91164708:29
opendevreviewRodolfo Alonso proposed openstack/neutron master: [OVN] Enable "ha" API flag for OVN routers  https://review.opendev.org/c/openstack/neutron/+/91088908:37
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add "subnet-external-network" extension to "subnet" resource  https://review.opendev.org/c/openstack/neutron/+/90731308:48
ralonsohslaweq, Houston, I have a problem. I have a new extension to be added 08:55
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/90731308:55
ralonsohand the n-t-p patch08:55
ralonsohhttps://review.opendev.org/c/openstack/neutron-tempest-plugin/+/91110508:55
ralonsohthe problem is that both patches depend on each other08:56
ralonsohif I push the neutron patch (alone), the "neutron_tempest_plugin.api.test_subnets.SubnetsSearchCriteriaTest" will fail (because the extension is not loaded yet in the n-t-p test)08:56
slaweqralonsoh let me finish one thing and I will check those patches, ok?08:57
ralonsohslaweq, sure, thanks a lot08:57
*** mklejn_ is now known as mklejn09:00
fricklerralonsoh: shouldn't the new test be skipped if the extension isn't loaded?09:15
slaweqfrickler but it's not new tests which are failing09:16
slaweqand I don't really understand how neutron-tempest-plugin's patch may help with that09:17
opendevreviewFrode Nordahl proposed openstack/neutron master: Add documentation for aa-l3-gw-multihoming  https://review.opendev.org/c/openstack/neutron/+/89940209:20
ralonsohfrickler, slaweq I think I know how to solve this: we need to enable the extension only if present09:25
ralonsohthis is why the neutron devstack neutron-**** service was created09:25
ralonsohI'll push a new patch09:25
opendevreviewRodolfo Alonso proposed openstack/neutron master: [FT] Group "functional.agent.l3" tests in the same executor  https://review.opendev.org/c/openstack/neutron/+/91164709:39
opendevreviewRodolfo Alonso proposed openstack/neutron-tempest-plugin master: Add extension "subnet-external-network"  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/91110509:42
opendevreviewLiushy proposed openstack/neutron master: [OVN] Support address group for ovn driver  https://review.opendev.org/c/openstack/neutron/+/85150909:46
slaweqralonsoh ykarel lajoskatona can You check https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/911445 when You will have time?09:56
slaweqthx in advance09:56
slaweqralonsoh I already addressed Your comments there09:57
slaweqlajoskatona thx, I just noticed You already reviewed it :)09:58
opendevreviewMerged openstack/os-ken unmaintained/wallaby: Update .gitreview for unmaintained/wallaby  https://review.opendev.org/c/openstack/os-ken/+/91153710:11
*** fnordahl_ is now known as fnordahl10:13
opendevreviewMerged openstack/ovn-octavia-provider unmaintained/victoria: Update .gitreview for unmaintained/victoria  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/91151410:14
opendevreviewMerged openstack/networking-midonet unmaintained/victoria: Update .gitreview for unmaintained/victoria  https://review.opendev.org/c/openstack/networking-midonet/+/91149510:14
opendevreviewMerged openstack/os-ken unmaintained/victoria: Update .gitreview for unmaintained/victoria  https://review.opendev.org/c/openstack/os-ken/+/91151210:16
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Ensure cr-lrp is assigned to a gateway chassis  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/91168410:29
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Ensure cr-lrp is assigned to a gateway chassis  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/91168410:29
opendevreviewJayce Houtman proposed openstack/neutron master: Change exception messages to error log messages for DNS integration.  https://review.opendev.org/c/openstack/neutron/+/90021210:57
opendevreviewRodolfo Alonso proposed openstack/neutron master: [FT] Group "functional.agent.l3" tests in the same executor  https://review.opendev.org/c/openstack/neutron/+/91164710:58
opendevreviewJayce Houtman proposed openstack/neutron master: Change exception messages to error log messages for DNS integration.  https://review.opendev.org/c/openstack/neutron/+/90021211:00
opendevreviewJayce Houtman proposed openstack/neutron master: Change exception messages to error log messages for DNS integration.  https://review.opendev.org/c/openstack/neutron/+/90021211:08
opendevreviewRodolfo Alonso proposed openstack/neutron master: [FT] Group "functional.agent.l3" tests in the same executor  https://review.opendev.org/c/openstack/neutron/+/91164711:23
opendevreviewyatin proposed openstack/neutron unmaintained/yoga: [DNM] check yoga periodic jobs  https://review.opendev.org/c/openstack/neutron/+/91169912:01
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Fix check for a CR-LRP as a gateway port  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/91170112:07
noonedeadpunkHey folks. I was wondering, to which chassis in OVN FIP is designed to be assigned to when enable_distributed_floating_ip is False?12:07
noonedeadpunkAs I do see it on compute both in NB and SB dbs12:07
noonedeadpunkthere could be some changes lately ofc, I'm playing with some sort of Bobcat right now12:09
ralonsohnoonedeadpunk, https://docs.openstack.org/neutron/latest/admin/ovn/routing.html. Without DVR, the FIP traffic goes through the active chassis12:20
ralonsohcheck the LRP gateway_chassis12:20
noonedeadpunkso fip has `options: {requested-chassis=os-compute02}` when I do `ovn-sbctl list Port_Binding` 12:28
noonedeadpunkand same for `ovn-nbctl list Logical_Switch_Port`12:28
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add "subnet-external-network" extension to "subnet" resource  https://review.opendev.org/c/openstack/neutron/+/90731312:29
noonedeadpunk`gateway_chassis     : []`12:29
noonedeadpunkin sb db12:29
ralonsohrequested-chassis is only used for live migrations12:31
ralonsohas far as I know12:31
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Fix check for a CR-LRP as a gateway port  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/91170112:31
opendevreviewMerged openstack/neutron unmaintained/yoga: [OVN] Add ``subnetpool-prefix-ops`` extension to ML2/OVN mech driver  https://review.opendev.org/c/openstack/neutron/+/90881812:35
noonedeadpunkralonsoh: well, I'm jsut checking on ovn-bgp and trying to understand how it "should" get chassis of the FIP12:43
noonedeadpunkas currently they indeed use requested-chassis from what I see12:43
noonedeadpunkor well12:45
noonedeadpunkon sb db chassis: 252cf809-ab9d-46d2-96e2-15c212b6628b and then ovn-sbctl list Chassis 252cf809-ab9d-46d2-96e2-15c212b6628b gives `hostname            : os-compute02-az1.mh.citytest.se`12:46
noonedeadpunkso in sbdb it's still maps to compute. But actually, I would expect to find some binding in NB DB as well and either I'm looking in the wrong place... or it's not there...12:47
noonedeadpunkso I assume it passes throgh this logic: https://opendev.org/openstack/ovn-bgp-agent/src/branch/master/ovn_bgp_agent/drivers/openstack/watchers/base_watcher.py#L107-L10912:50
noonedeadpunkltomasbo: sorry, will ping you here as well :)12:51
noonedeadpunkas it feel that logic of the agent slightly falling apart for non-distributed FIPs. Or I just running too old neutron, which does not populate smth to ovn...12:51
noonedeadpunkbut given ralonsoh saying that requested-chassis should not be source of truth for VIP chassis selection, but it feels like it is after all?12:52
noonedeadpunkralonsoh: but do you know how/where I can check for the chassis if FIP in NB DB? Is there a way at all?13:01
mnederlofi am not sure ovn-bgp-agent is suited for non-distributed fips; fips are stored in nat table, and attached to a fip_port_id, you can lookup that port id in the logical_switch_port table13:03
mnederlofbut that is in the case of distributed fip13:03
mnederlofthe router ports can be found in logical-router-port table13:03
mnederlofif you have recent ovn version, you should have status column, that tells you which host is responsible for exposing the router port13:04
mnederlofin the nat table you will find a reference to the neutron:router_name too in the external_ids13:05
mnederlofand the nat entry is referenced from the logical-router entry as well13:06
mnederlof@noonedeadpunk ^^ 13:06
noonedeadpunkI will check on that now, thanks!13:11
mnederlofout of curiosity, why not use the distributed fip feature?13:12
noonedeadpunkwell, we want to limit amount of places where public connectivity is possible13:13
noonedeadpunkwe eventually wanted air-gapped environment as much as possible13:14
noonedeadpunkmeaning that exposing net nodes / gateways towards core routers is minimal thing13:14
mnederlofok, interesting :) 13:15
noonedeadpunkand then network folks want only very minimal list of bgp speakers13:17
noonedeadpunkand small network for announcements13:18
mnederlofi probably do not have to explain you this, but the node that are connected to public, are the bottlenecks of your traffic, and when ddos occurs, your failure domain (of ip´s that are unreachable) is quite big at that point. But still that is something you probably accepted in favor of the air-gap requirement :)13:19
noonedeadpunkyeah13:19
noonedeadpunkwe're running OVS setup for years pretty much the same way13:20
* frickler has the same requirements as noonedeadpunk, so likely not an uncommon setup13:20
noonedeadpunkso there's some level of concervatism present as well13:20
opendevreviewLiushy proposed openstack/neutron master: [OVN] Support address group for ovn driver  https://review.opendev.org/c/openstack/neutron/+/85150913:21
mnederlofoh definitely not uncommon, it was how neutron worked in the early days as well, until DVR / distributed FIP became a thing13:21
noonedeadpunkmnederlof: well... I mean... I did run namespaces on linuxbridges back in the days. which is kinda-kinda close to distributed FIP (not really, but still)13:25
opendevreviewMerged openstack/neutron-tempest-plugin master: Remove usage of testscenarios and replace it with ddt library  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/91144513:28
mnederlofxD13:34
*** gthiemon1e is now known as gthiemonge13:36
noonedeadpunknamespaces on linuxbridges on computes14:04
opendevreviewRodolfo Alonso proposed openstack/neutron master: [FT] Group "functional.agent.l3" tests in the same executor  https://review.opendev.org/c/openstack/neutron/+/91164714:05
opendevreviewRodolfo Alonso proposed openstack/neutron-tempest-plugin master: Add extension "subnet-external-network"  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/91110514:53
opendevreviewMerged openstack/neutron-lib master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/neutron-lib/+/91155515:14
opendevreviewMerged openstack/os-ken master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/os-ken/+/91156515:16
opendevreviewMerged openstack/os-ken master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/os-ken/+/91153815:16
opendevreviewMerged openstack/os-ken master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/os-ken/+/91151315:16
opendevreviewMerged openstack/ovsdbapp master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/ovsdbapp/+/91156915:21
opendevreviewMerged openstack/ovsdbapp master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/ovsdbapp/+/91154215:21
opendevreviewMerged openstack/ovsdbapp master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/ovsdbapp/+/91151715:23
opendevreviewMerged openstack/neutron-vpnaas master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/neutron-vpnaas/+/91156115:23
ltomasbonoonedeadpunk, sorry I was on a meeting and then having lunch15:25
opendevreviewMerged openstack/neutron-lib master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/neutron-lib/+/91153015:25
opendevreviewMerged openstack/neutron-lib master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/neutron-lib/+/91150215:25
opendevreviewMerged openstack/neutron-vpnaas master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/neutron-vpnaas/+/91153415:26
ltomasbonoonedeadpunk, for VIPs (virtual IPs, different than FIPs), we were using information on the external-ids, as the requested chassis is not working for vips15:26
ltomasbonoonedeadpunk, so if neutron version is too old, perhaps it does not have the option to add that information on the external_ids15:27
ltomasbonoonedeadpunk, https://review.opendev.org/c/openstack/ovn-bgp-agent/+/88318715:28
ltomasbonoonedeadpunk, this is the patch needed on neutron side: https://review.opendev.org/c/openstack/neutron/+/882705, it was backported up to wallaby15:29
noonedeadpunkltomasbo: yeah, sorry, I indeed meant FIPs 15:30
ltomasbonoonedeadpunk, ahh, ok, and you are using the NB driver, right?15:31
noonedeadpunkyep15:31
noonedeadpunkAnd eventually, this is using requested_chassis: https://opendev.org/openstack/ovn-bgp-agent/src/branch/master/ovn_bgp_agent/drivers/openstack/watchers/base_watcher.py#L107-L10915:31
noonedeadpunkand requested_chassis is always compute there15:32
opendevreviewMerged openstack/neutron-vpnaas master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/neutron-vpnaas/+/91150815:32
noonedeadpunkI was also on a meeting with our net folks who tried to explain me what we do want in fact:)15:32
noonedeadpunkand among exposing fips from net nodes, they also mentioned multiple VRFs for FRR configuration15:33
noonedeadpunkin order to be able to bring in external customer networks15:33
ltomasbonoonedeadpunk, the process was to detect the external_ids information on the logical router ports15:34
noonedeadpunkand we've briefly looked at EVPN implementation, but it seems there's only either-or case for the drivers?15:34
ltomasbonoonedeadpunk, so, it is using the information on the logical port where the fips is associated too15:34
noonedeadpunkum. so why I started digging in code as I got no signs of fip being even processed on action15:35
ltomasbonoonedeadpunk, it is not directly (NAT entries are not used)15:35
ltomasbonoonedeadpunk, we process logical router ports... and check that in the external_ids neutron has added/removed the FIP reference15:36
noonedeadpunkwhich lead me here https://opendev.org/openstack/ovn-bgp-agent/src/branch/master/ovn_bgp_agent/drivers/openstack/watchers/nb_bgp_watcher.py#L176-L18015:36
ltomasbonoonedeadpunk, regarding evpn, mnederlof is working on a patch to add support for it: https://review.opendev.org/c/openstack/ovn-bgp-agent/+/90650515:36
noonedeadpunkand eventually it should not pass the condition?15:36
noonedeadpunkoh!15:36
opendevreviewOpenStack Release Bot proposed openstack/neutron-lib stable/2024.1: Update .gitreview for stable/2024.1  https://review.opendev.org/c/openstack/neutron-lib/+/91189315:37
opendevreviewOpenStack Release Bot proposed openstack/neutron-lib stable/2024.1: Update TOX_CONSTRAINTS_FILE for stable/2024.1  https://review.opendev.org/c/openstack/neutron-lib/+/91189415:37
opendevreviewOpenStack Release Bot proposed openstack/neutron-lib master: Update master for stable/2024.1  https://review.opendev.org/c/openstack/neutron-lib/+/91189515:37
ltomasbonoonedeadpunk, the nb driver is newer than the sb driver... perhaps we missed the non-DVR in there15:37
opendevreviewOpenStack Release Bot proposed openstack/os-ken stable/2024.1: Update .gitreview for stable/2024.1  https://review.opendev.org/c/openstack/os-ken/+/91189615:37
opendevreviewOpenStack Release Bot proposed openstack/os-ken stable/2024.1: Update TOX_CONSTRAINTS_FILE for stable/2024.1  https://review.opendev.org/c/openstack/os-ken/+/91189715:37
opendevreviewOpenStack Release Bot proposed openstack/os-ken master: Update master for stable/2024.1  https://review.opendev.org/c/openstack/os-ken/+/91189815:37
opendevreviewOpenStack Release Bot proposed openstack/ovsdbapp stable/2024.1: Update .gitreview for stable/2024.1  https://review.opendev.org/c/openstack/ovsdbapp/+/91189915:38
opendevreviewOpenStack Release Bot proposed openstack/ovsdbapp stable/2024.1: Update TOX_CONSTRAINTS_FILE for stable/2024.1  https://review.opendev.org/c/openstack/ovsdbapp/+/91190015:38
opendevreviewOpenStack Release Bot proposed openstack/ovsdbapp master: Update master for stable/2024.1  https://review.opendev.org/c/openstack/ovsdbapp/+/91190115:38
noonedeadpunkltomasbo: ok, sure, that's really a good lead15:38
noonedeadpunkI can check on sb code then and suggest a fix!15:38
opendevreviewOpenStack Release Bot proposed openstack/python-neutronclient stable/2024.1: Update .gitreview for stable/2024.1  https://review.opendev.org/c/openstack/python-neutronclient/+/91190215:38
opendevreviewOpenStack Release Bot proposed openstack/python-neutronclient stable/2024.1: Update TOX_CONSTRAINTS_FILE for stable/2024.1  https://review.opendev.org/c/openstack/python-neutronclient/+/91190315:38
opendevreviewOpenStack Release Bot proposed openstack/python-neutronclient master: Update master for stable/2024.1  https://review.opendev.org/c/openstack/python-neutronclient/+/91190415:39
ltomasbonoonedeadpunk, SB driver works for sure, as it is checking the nat addressed added on the cr-lrp port... so... it is taking the right chassis15:39
ltomasbonoonedeadpunk, please open a launchpad bug for this... I think it is indeed something we missed there15:39
noonedeadpunkyeah, but what I got nb is preffered?15:39
noonedeadpunkas sb should not be considered as source of truth?15:40
ltomasbonoonedeadpunk, yep, problem with the SB is that things can change in OVN and break us15:40
ltomasbo(as it already happen with LoadBalancers several times)15:40
ltomasbonoonedeadpunk, and all the new stuff is being done on top of NB DB driver15:40
noonedeadpunkyeah, fair. I'm just thinking if I should consider using SB for now as an option at all15:40
noonedeadpunkyeah, ok.15:41
ltomasboso... yeah, we definitely should fix it on the NB DB is that is not working15:41
ltomasbonoonedeadpunk, if it has what you need... why not15:42
ltomasboin your case you only need to run the ovn-bgp-agent in the networker/gateway nodes15:42
noonedeadpunkbecause of the reasons you've mentioned?:)15:42
noonedeadpunkyeah, this is what I'm really aiming for15:42
noonedeadpunkbut also wanna use something future-proof a bit rather then deprecated legacy out of the box...15:43
opendevreviewLiushy proposed openstack/neutron master: [OVN] Support address group for ovn driver  https://review.opendev.org/c/openstack/neutron/+/85150915:44
spatelFolks, does anything changed between zed and 2023.1 about policy.yaml ?  because in Zed same policy working but in 2023.1 it doesn't 15:44
spatel"delete_floatingip": "(rule:admin_only)"15:44
spateldoes policy.yaml file required restart of neutron service? 15:45
ltomasbonoonedeadpunk, for what is worth... SB was the base, but it is not deprecated (we actually support it), but the new stuff will get added to the NB DB I suppose15:46
noonedeadpunkiirc it should be loaded on-fly15:46
ltomasboand... as mentioned... if NB has a bug... we should fix it! xD15:46
noonedeadpunkyeah, I'd rather focus on fixing it:)15:46
ltomasbothat is even better... if you not only report it, but also fix it! 15:47
noonedeadpunkSo. given our usecase of air-gapped environement as much as possible, and will for isolation between external networks, as some are going to be customer-only (private) ones, and others are shared - what exposure method I should be looking at - vrf or ovn is still on the table?15:49
noonedeadpunkyeah, I mean, I'm given some time to dig there and get us a working state15:49
ltomasbonoonedeadpunk, I may need more details... you have a BGP (l3) datacenter? I mean, why not using DVR is you have BGP?15:50
ltomasbonoonedeadpunk, and if you require evpn/vrf... then there is only one option, which is mnederlof patch15:51
noonedeadpunkwe're building a new as-much-as-possible L3 datacenter15:52
noonedeadpunkreason for no DVR - is limit hosts that do have/process internet access as much as possible15:52
noonedeadpunkso we can't put all computes there for this reason15:52
ltomasbonoonedeadpunk, but then... why not having DVR? 15:52
noonedeadpunkbasically - no hosts are having access to the internet, though tenant VMs should15:53
ltomasbobut... internet access will go through the spine leaf, right? why not blocking it at a different point? instead of having the L3 infrastructure saturated in some spots?15:53
noonedeadpunkbut hypervisors, controller nodes, etc are fully air-gapped15:53
jrosser^ i am in the same sitation as noonedeadpunk and would follow almost identical model for my deployments when i come to do OVN fwiw15:54
ltomasbonoonedeadpunk, ok, I see15:54
noonedeadpunkexactly - all will go through spine leaf15:54
ltomasbojrosser, also with ovn-bgp-agent??15:54
jrosseri would need a solution for ipv6 tenant networks for sure15:55
ltomasbonoonedeadpunk, 15:55
ltomasbonoonedeadpunk, so... you want to expose only FIPS or also tenant IPS?15:56
jrosserand i am also very interested in having multiple external networks in different VRF too15:56
ltomasbonoonedeadpunk, as the tenant IPs will already be exposed through the controllers/networkers15:56
noonedeadpunkI'm a bit confused right now about tenant IPs... I mean - I don't have full picture as it's not me who's desigining core networking. I need though to bring all things together:)15:57
noonedeadpunkbut I think tenant IPs are east-west traffic?15:57
noonedeadpunkor you mean - "external" networks?15:57
mnederloftenant ips are ips behind neutron router15:57
ltomasbonoonedeadpunk, those tenant IPs can also be BGP advertised, from the networker node15:58
ltomasbothen, from there it will go geneve tunnel to the node where the VM is15:58
ltomasbobut instead of exposing the FIP, you are exposing directly the IP of the VM in the tenant network( though you need to ensure it does not overlap)15:58
ltomasbothat is simpler with vrf support that mnederlof is adding15:59
noonedeadpunkyeah, ok, this non-overlaping of tenant networks was really confusing me15:59
noonedeadpunkto the point where I don't understand what is meant and what's the usecase15:59
noonedeadpunkI guess the usecase, is that you make an external shared network?15:59
noonedeadpunkso you don't need FIPs anymore and can attach external network directly?16:00
ltomasbonoonedeadpunk, the point is that you can expose newtork connected to the provider network16:00
ltomasboit will go through an ovn router... thus it needs to be exposed on the networker node16:00
ltomasboand the problem is that you need to avoid different tenant exposing the same CIDR16:00
noonedeadpunkyeah, I don't think I have that usecase16:00
noonedeadpunkas we totally have tenants with same cidrs as there's no way we can control it16:01
ltomasboright16:01
mnederlofthere is a way to control it though, you should check out address scopes and subnet pools16:01
noonedeadpunkor well. we might be having some networks that customers bring to us. They're currently implemented jsut as vlans16:01
noonedeadpunkand connect VMs with out-of-premise things16:02
mnederlofthen you can only expose the tenant subnets that match a specific address scope16:02
ltomasbostill... there may be customer that need to use 10.0.0.0/24 for whatever reason... so16:02
mnederlofyeah, those just need to be separated with vni16:02
noonedeadpunk10.0.0.0/8 I'd say. would be even more fun16:02
mnederlofand separate provnet16:02
ltomasboI need to go, nice discussion! don't forget to file the bug, we'll try to figure out a solution for it, it may only affect fips16:02
noonedeadpunkok, separate provnet is probably fair....16:02
noonedeadpunkltomasbo: thanks for your time as usual!16:03
mnederlofat least that is how we would solve that, every external customer connection that we have to expose, we would create a new provnet, with it´s own vni/vrf16:03
noonedeadpunkso basically, VRF is better choice. And I guess OVN exposure method won't handle the use-case16:03
mnederlofthen the customer can use that subnet to route through it, or use that network directly, as ´shared´ network16:03
noonedeadpunkand we'd need your patch for that https://review.opendev.org/c/openstack/ovn-bgp-agent/+/906505 16:04
mnederlofyep, but i have not tested non-dvr scenario 16:04
noonedeadpunkmnederlof: ok, yes, that's what was I told the usecase will be (one of)16:04
noonedeadpunkwhile mainly we need to expose only FIPs16:05
noonedeadpunk-only-16:05
noonedeadpunk* mainly exposing FIPs16:05
mnederlofwhich is basically a provider network with ´router:external´ enabled16:05
noonedeadpunkyeah16:05
noonedeadpunkok, well. I think I can test the patch :)16:06
mnederlofplease read the doc i wrote (zuul temp copy can be found here: https://45b67cabc958c12316a8-de1ec222256e01db8c1f1f4d7a4b9170.ssl.cf2.rackcdn.com/906505/7/check/openstack-tox-docs/a45a6ed/docs/examples/nb_evpn_vrf.html )16:07
noonedeadpunkyeah, sure, I was already reading it16:07
mnederlofmight get you up and running a bit faster (and if something is still unclear, please let me know in the patchset16:07
mnederlofthen i can add it in there16:07
mnederlofas i need to make some other changes as well, as you probably already read in the discussions there :)16:08
mnederlofour compute nodes also do not have direct public access per se, they just peer with the internal address of the public router, which maps the evpn to a public vrf16:09
mnederlofsince the entire thing is L3 routed anyway, i´d guess your routers are/should be reachable anyway O:-)16:09
noonedeadpunkfor some reason, which I'm not aware about, net team wants to peer with public IPs in small /28 subsets16:10
noonedeadpunkSo placing all computes there is not feasable16:10
noonedeadpunkI mean, yes. they should. But there's some magic behind the scene I don't get. 16:10
mnederlofwell, you need to terminate your EVPN/VXLAN overlay network somewhere, which is typically not done by the compute node in my experience16:11
noonedeadpunkno, totally not, I assume it's on leafs...16:11
noonedeadpunkI guess I'd need to bring somebody from our net team, as I'm really bad on details how they do thing...16:12
noonedeadpunkand they do not wanna touch openstack world...16:12
mnederlofsince it is overlay, you _could_ terminate the EVPN/VXLAN subnets on your networker nodes, and map them there to the public thing16:12
noonedeadpunkhm16:13
noonedeadpunkI probably could...16:13
mnederlofso on your networker nodes you could advertise the 0.0.0.0/0 route towards the computes (for those specific vni´s)16:14
mnederlofover the EVPN/VXLAN thing16:14
mnederlofthen, on those networker nodes, you can act as a router between openstack and the public domain16:15
noonedeadpunkthat sounds pretty much hacky way ?16:15
noonedeadpunkas frankly - I'd rather rely on geneve or smth in OVN16:16
noonedeadpunkto get the traffic to net node for me16:16
noonedeadpunkand I guess it's totally fine from business prespective, that ppl will have to deal with FIPs16:17
noonedeadpunkbut I mean, on the networker nodes I already act as a router for such external networks16:18
noonedeadpunkas we don't want traffic to go through the default gateway there16:19
noonedeadpunkso I made a separate table and ip rule to redirect traffic to this another routing table with alternative default route16:19
mnederlofyes, definitely :)16:21
noonedeadpunkBut I guess you got your point16:22
mnederlofi do not think is is necessarily hacky, since you are just terminating the EVPN/VXLAN on the router from where you do the actual routing16:22
mnederlofwhich in our point is a juniper mx router, but that could very well be a linux box obviously with frr16:22
mnederlofbut if non-dvr is the better way to go, then use that :)16:23
opendevreviewMerged openstack/neutron master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/neutron/+/91156316:23
noonedeadpunkfrankly - I was already thinking about running ovn-bgp-agent with FRR in a namespace to use both evpn and underlay drivers :D16:23
mnederlofwould be great if that works for the nb driver as well (if it not already is)16:23
spatelnoonedeadpunk are your planning to use FRR create bgp peer with your leaf switches? 16:24
mnederlofi have to go for now, nice discussion :)16:25
noonedeadpunkyeah, that's how ovn-bgp-agent works?16:25
noonedeadpunkmnederlof: thanks a lot!16:25
noonedeadpunkah, about bgp peer - probably spine actually16:26
spatelThat is what I am thinking.. all your leaf switch will be act like spine switches in that case.. 16:26
noonedeadpunkFranjkly - I just got set of IPs for neighbours and AS (and auth)16:26
noonedeadpunkso no idea what's there16:26
noonedeadpunkah, and note that I should use ebgp-multihop :)16:27
noonedeadpunkanywya16:27
spatelIn this diagram its very clear https://ltomasbo.wordpress.com/2021/02/04/ovn-bgp-agent-testing-setup/ 16:28
spatelcompute node FRR creating peers with leaf switches using /30 network and exposing /32 loopback IP as compute nodes IP 16:30
opendevreviewMerged openstack/neutron master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/neutron/+/91153616:33
opendevreviewMerged openstack/neutron master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/neutron/+/91151116:33
opendevreviewMerged openstack/networking-sfc master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/networking-sfc/+/91155116:37
opendevreviewMerged openstack/networking-bgpvpn master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/networking-bgpvpn/+/91154816:37
opendevreviewMerged openstack/networking-bagpipe master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/networking-bagpipe/+/91152116:46
*** jamesdenton_ is now known as jamesdenton16:48
-opendevstatus- NOTICE: Jobs that fail due to being unable to resolve mirror.dfw.rackspace.opendev.org can be rechecked. This error was an unexpected side effect of some nodepool configuration changes which have been reverted.16:55
opendevreviewMerged openstack/networking-bagpipe master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/networking-bagpipe/+/91149217:00
opendevreviewMerged openstack/networking-sfc master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/networking-sfc/+/91149817:42
opendevreviewBrian Haley proposed openstack/neutron master: Add note on iptables cleanup after OVS firewall migration  https://review.opendev.org/c/openstack/neutron/+/91195719:03
opendevreviewMerged openstack/networking-bgpvpn master: reno: Update master for unmaintained/victoria  https://review.opendev.org/c/openstack/networking-bgpvpn/+/91149419:59
opendevreviewMerged openstack/networking-sfc master: reno: Update master for unmaintained/wallaby  https://review.opendev.org/c/openstack/networking-sfc/+/91152620:02
opendevreviewMerged openstack/networking-bagpipe master: reno: Update master for unmaintained/xena  https://review.opendev.org/c/openstack/networking-bagpipe/+/91154620:18
opendevreviewMerged openstack/neutron master: [OVN] Enable "ha" API flag for OVN routers  https://review.opendev.org/c/openstack/neutron/+/91088922:32
« Wednesday, 2024-03-06 Index Friday, 2024-03-08 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!