| opendevreview | Liushy proposed openstack/neutron master: Only consider the IPv4 subnets when creating a FIP https://review.opendev.org/c/openstack/neutron/+/932405 | 02:49 |
|---|---|---|
| *** liuxie is now known as liushy | 02:50 | |
| gmann | cardoe: which exact discussion slot? | 02:58 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron-tempest-plugin master: Update irrelevant-files with 2024.2 jobs zuul file https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932581 | 05:59 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron-tempest-plugin master: [WSGI] Move all OVN jobs to use WSGI API module (1) https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932520 | 06:00 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron-tempest-plugin master: [WSGI] Move all OVN jobs to use WSGI API module (2) https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932524 | 06:00 |
| athiatr | Hi team, quick query, is that permanent arp entries for allowed_address_pair in DVR Routers is fixed? anyone has an idea or guidance ? | 06:03 |
| athiatr | especially in OVN with VRRP arp entries that has issues where vip arp table update across the hosts | 06:04 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron-tempest-plugin master: [WSGI] Move all OVN jobs to use WSGI API module (3) https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932582 | 06:07 |
| ralonsoh | athiatr, do you mean when the VIP changes to other host, it is not updated? | 06:10 |
| athiatr | yes correct ralonsoh | 06:11 |
| athiatr | ralonsoh, we had issues ovs with dvr where we disabled dvr and ran with dedicated neutron node which issue fixed | 06:13 |
| ralonsoh | athiatr, what backend are you using? OVS or OVN? | 06:13 |
| athiatr | but when we enable the ovn which by default dvr enabled witch causing the issue now | 06:14 |
| ralonsoh | dvr is only for FIP traffic in OVN, why should affect here? | 06:15 |
| ralonsoh | how do you configure the VIP port? | 06:15 |
| ralonsoh | I mean: do you create a port (VIP) and assign the IP to other ports as allowed-address-pair? | 06:15 |
| athiatr | Let's take this way we had to fortigate two firewalls which have trunk ports with their sup ports which is give like fw01 with port1 and fw02 with port2 and fwvip with port3 | 06:17 |
| athiatr | which vip port is allowed in address pair too., | 06:17 |
| athiatr | and we saw some bugs in this case (1774459) which is no progress till date. | 06:18 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron-tempest-plugin master: [WSGI] Move all OVN jobs to use WSGI API module (2) https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932524 | 06:19 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron-tempest-plugin master: [WSGI] Move all OVN jobs to use WSGI API module (3) https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932582 | 06:19 |
| ralonsoh | athiatr, https://bugs.launchpad.net/neutron/+bug/1774459 is for ML2/OVS and the L3 agent | 06:20 |
| ralonsoh | are you using ML2/OVS or ML2/OVN? | 06:21 |
| ralonsoh | athiatr, are you using a VIP that is also assigned to a VM port? | 06:21 |
| athiatr | how we can assign vip port two firewalls vm since its been ha model | 06:22 |
| athiatr | we are using ML2/OVN | 06:23 |
| ralonsoh | my question is very specific: the VIP that you are assigning to the FW ports, from where is this VIP address? | 06:24 |
| ralonsoh | is this VIP address assigned as fixed IP in a VM port? | 06:24 |
| athiatr | vip port will not attached to anyvm its part same subnet and the vm kernal we apply vip address | 06:26 |
| ralonsoh | athiatr, are the VMs with the VIP assigned in different hosts? | 06:33 |
| ralonsoh | when the VIP changes to another host, you'll be able to see that in the Neutron port host | 06:34 |
| ralonsoh | that means OVN has captured the GARP of the VIP from the new port | 06:35 |
| ralonsoh | and should change the binding | 06:35 |
| athiatr | I'll give the example, that i have 10 host where host 1 and 2 run firewalls as 01 and 02, and enabling tenant routers which are automatically sitting host 10 | 06:38 |
| athiatr | now the fw01 is having vip in kernal and want to communicate to tenat routers, means vip arp traffic should go from host 1 to host 10 | 06:38 |
| athiatr | from host10 i could see the vip arp and mac which is not permanent state and its get disappeared with in 10sec and overall we enable to communicate fw vm to tenant routers. | 06:40 |
| ralonsoh | athiatr, I'm not an OVN expert but ARP resolution is handled by OVN with the port binding table | 06:43 |
| ralonsoh | any traffic for a known MAC/IP (the VIP in this case) is forwarded to the correct chassis | 06:44 |
| ralonsoh | please, open a LP bug describing this issue | 06:44 |
| athiatr | okay, and any reference docs for port binding table in ovn that u have , pls share it may help to understand more and thanks for this tech convo., | 06:46 |
| opendevreview | Liushy proposed openstack/neutron master: Only consider the IPv4 subnets when creating a FIP https://review.opendev.org/c/openstack/neutron/+/932405 | 06:46 |
| ralonsoh | athiatr, Im just reading the onv code | 06:46 |
| aravindh | So, VIP is a dummy port interface that is created, but not attached to any VM (say VIP IP is .10). You have 2 firewall VM in you admin tenant that needs ha sync and your are using this VIP to sync config as well as use this VIP IP for your other routes to point to firewall appliance vm. Now you say when the VIP IP is on the same gateway chasiss as your VM does (you nw node has comptue and nw role), it works fine. But when the VIP IP is pinned | 06:47 |
| aravindh | than your FW vm, you cannot reach it. | 06:47 |
| aravindh | This scenario worked with non DVR OVS Setup, but did not work with OVS + DVR and OVN? Is this problem statement accurate? | 06:48 |
| athiatr | yes this problem statement is correct, aravindh | 06:49 |
| aravindh | If you manage to pin your router to a gatewat chassis, but if your active vm fails, again it would disrupt traffic, because your router and vm now again exist in a different node. Interesting. | 06:50 |
| aravindh | ralonsoh: When the port is created but is not attached to any VM, does it propagate the MAC address to other nodes with ARP persistently? I think ignore_lsp_down option on ovn_nb_global config in ml2.ini did not help this usecase, as I discussed with Athi on a seperate channel. | 06:53 |
| *** liuxie is now known as liushy | 07:16 | |
| ralonsoh | aravindh, OVN does not "propagate" the MAC, it installs the ARP responder flows | 07:20 |
| aravindh | ralonsoh: I just checked the status for a port that is bound to a VM, it shows the binding_vif_details: bound_drivers.0 = ovn with l2 system datapath. binding_vnic_type = normal and shows binding host ID | 07:24 |
| aravindh | But for the port that is not attached, which is what he is trying to use, its unbound and does not show any host in the binding_host_id | 07:24 |
| ralonsoh | aravindh, you mean the VIP port | 07:25 |
| aravindh | yes the VIP port that is just created, but not attached to any VM at this point | 07:26 |
| ralonsoh | ok, once you assign the VIP as allowed address pair to a VM port, add the IP address to the port and send a GARP from this port, OVN will catch it and Neutron will update the host | 07:26 |
| aravindh | Port 1 is attached to VM 1, port 2 is attached to VM2, port 3- the VIP is not attached. | 07:26 |
| ralonsoh | that's correct | 07:27 |
| aravindh | Allowed address pair is only when the port security is enabled for the network? What if its disabled? | 07:27 |
| ralonsoh | it's not possible | 07:27 |
| aravindh | Ahh so port security is mandatory heh? | 07:27 |
| ralonsoh | yes | 07:27 |
| aravindh | And this should work with trunk as well right> | 07:28 |
| ralonsoh | I never tried and we don't test it, I *think* there was an issue related | 07:28 |
| ralonsoh | yes, if you assign the VIP to a subport | 07:28 |
| ralonsoh | Neutron won't update the VIP host ID | 07:28 |
| ralonsoh | (I think) | 07:29 |
| ralonsoh | but the whole functionality works | 07:29 |
| ralonsoh | https://bugs.launchpad.net/neutron/+bug/2080492 | 07:29 |
| aravindh | Alright, I will test two scenarios from my side. One enable port security, set a rule that allows everything in and out, add allowed address pair. Two do this again for a trunk subport as VIP | 07:32 |
| aravindh | ralonsoh: Thanks for your assistance, i would test this in my env and update you back. | 07:36 |
| ralonsoh | ykarel, trivial review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932581/1 | 08:48 |
| ralonsoh | thanks in advance! | 08:48 |
| opendevreview | Merged openstack/neutron master: ut: Remove unused method https://review.opendev.org/c/openstack/neutron/+/932351 | 08:58 |
| opendevreview | Merged openstack/neutron-tempest-plugin master: Update irrelevant-files with 2024.2 jobs zuul file https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932581 | 09:00 |
| *** elodilles_pto is now known as elodilles | 09:12 | |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [WSGI] Move all OVS jobs to use WSGI API module (2) https://review.opendev.org/c/openstack/neutron/+/932592 | 09:12 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: zuul: Explicitly set NEUTRON_DEPLOY_MOD_WSGI https://review.opendev.org/c/openstack/neutron/+/932189 | 09:14 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI https://review.opendev.org/c/openstack/neutron/+/931842 | 11:14 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI https://review.opendev.org/c/openstack/neutron/+/932601 | 11:15 |
| ralonsoh | qq slaweq: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/867518 | 11:17 |
| ralonsoh | do we still need the *enforce-scope-old-defaults job? | 11:17 |
| ralonsoh | in 2025.1 | 11:17 |
| ralonsoh | I'm asking this because this job is failing very often and I think we no longer need this test (I think) | 11:18 |
| ralonsoh | we can remove one n-t-p job, at least for 2025.1 | 11:18 |
| slaweq | ralonsoh I need to check it with gmann, I remember we were discussing that some time ago but I don't remember really | 12:12 |
| slaweq | but I think we should probably keep that job as long as old defaults are also there | 12:12 |
| slaweq | at some point we will need to clean them and then we can remove that job for sure, but I just don't know if it should be now | 12:13 |
| ralonsoh | slaweq, sure, thanks! | 12:21 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI https://review.opendev.org/c/openstack/neutron/+/932601 | 12:41 |
| *** iurygregory_ is now known as iurygregory | 12:57 | |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI https://review.opendev.org/c/openstack/neutron/+/932601 | 14:30 |
| haleyb | ralonsoh: i did create https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/932527 as well, which we can merge as soon as unmaintained/2023.1 is created, removes 7 jobs | 14:37 |
| ralonsoh | haleyb, perfect! | 14:37 |
| ralonsoh | haleyb, if you mark it as active, I'll +2 it | 14:38 |
| haleyb | ETOOMANYJOBS for n-t-p - i guess it should be ok as we have nothing in the stable/2023.1 branch to merge, and things should be cut soon | 14:38 |
| haleyb | the change to move those jobs to use unmaintained i believe are bot driven too | 14:40 |
| cardoe | gmann: sorry for the long delay. I'll just bring it up in the #-events channel. | 15:15 |
| gmann | ralonsoh: slaweq: we still need the enforce-scope-old-defaults job as old defaults still there as deprecated and we should test them until we remove them | 16:07 |
| opendevreview | Vladimir Prokofev proposed openstack/neutron-specs master: Add spec for random-fully per-FIP feature RFE. https://review.opendev.org/c/openstack/neutron-specs/+/932650 | 18:45 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!