Friday, 2025-04-25

opendevreviewRico Lin proposed openstack/neutron master: Fix ovn db sync with log resources  https://review.opendev.org/c/openstack/neutron/+/94805301:03
opendevreviewLiushy proposed openstack/neutron master: [ovn]Allow multiple IPv6 ports on router from same network  https://review.opendev.org/c/openstack/neutron/+/93693103:04
opendevreviewyatin proposed openstack/networking-bagpipe master: [DNM] Check tempest failure  https://review.opendev.org/c/openstack/networking-bagpipe/+/94817003:08
opendevreviewliuyulong proposed openstack/neutron master: Adds unique constraint for network segment ranges  https://review.opendev.org/c/openstack/neutron/+/94789803:57
opendevreviewRico Lin proposed openstack/neutron master: Fix ovn db sync with log resources  https://review.opendev.org/c/openstack/neutron/+/94805305:29
ykareltobias-urdin, hi when you get chance can you check/triage dynamic routing bug https://bugs.launchpad.net/neutron/+bug/2108985 ?07:48
opendevreviewyatin proposed openstack/neutron master: [UT] Keep metadata disabled in no_dhcp_release6 check test  https://review.opendev.org/c/openstack/neutron/+/94818008:23
slaweqliushy hi, am I correct that you were working on the ovn driver for neutron-fwaas? If yes, do you maybe remember why it was implemented as "stateless" ACLs?08:43
liushyslaweq, because ovn-northd does not apply stateful ACLs for router ports by default: https://github.com/ovn-org/ovn/blob/9ca70580745e11e7b467feea91453a2f80e658d6/northd/northd.c#L602008:50
tobias-urdinykarel: ack, just glancing at it looks valid, but dvr is a bit of a blackbox to me as i've never tried it08:51
opendevreviewVasyl Saienko proposed openstack/ovn-octavia-provider master: Prepare to handle ha_chassis_group for LRP  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/94324309:02
opendevreviewMerged openstack/neutron stable/2025.1: Return a HTTP404 message when the Metadata instance is not present  https://review.opendev.org/c/openstack/neutron/+/94794710:21
opendevreviewRodolfo Alonso proposed openstack/neutron master: Subnet filter by "router:external" needs to be changed to "external"  https://review.opendev.org/c/openstack/neutron/+/94807310:32
opendevreviewMerged openstack/neutron-tempest-plugin master: [FWaaS] Update icmp_reachability_test for OVN backend  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/94792010:57
fricklerykarel: tobias-urdin: also zed is unmaintained, so likely my first question would be whether the issue can be reproduced with a maintained release. likely not much has changed on the n-d-r side, but maybe for DVR? (/me also doesn't use DVR nor BGP for IPv4)12:25
ykarelthx frickler tobias-urdin will ask for reproducibility in master or stable release13:03
opendevreviewRodolfo Alonso proposed openstack/neutron master: Initialize the network segment ranges only in first WSGI worker  https://review.opendev.org/c/openstack/neutron/+/94820013:49
haleyb#startmeeting neutron_drivers14:00
opendevmeetMeeting started Fri Apr 25 14:00:14 2025 UTC and is due to finish in 60 minutes.  The chair is haleyb. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'neutron_drivers'14:00
haleybPing list: ykarel, mlavalle, mtomaska, slaweq, obondarev, tobias-urdin, lajoskatona, haleyb, ralonsoh14:00
slaweqo/14:00
obondarevo/14:00
ralonsohhello14:00
yusufgungor_o/14:00
haleybhopefully one more driver will come, but we do have 4 so can get started14:01
haleybslaweq: did you want to start with https://bugs.launchpad.net/neutron/+bug/2106816 ? it was on the agenda for a previous week14:02
slaweqsure14:02
mlavalle\o14:02
slaweqbasically this is just an idea about improvement14:02
slaweqthis is already available in ovn since some time14:02
slaweqso I was thinking on doing that in neutrn as new qos rule type14:03
slaweqof course if there will be no hard "no" for this idea I will do spec first as this will require new APIs, etc.14:04
ralonsohjust asking, what does this feature provides?14:05
haleybthe description in the OVN change makes it sound like limiting the number of things in a CT zone, but it's more at QoS?14:05
ralonsohright (I was just asking to make it public here)14:06
slaweqpossiblity to set max conntrack entries per zone, not globally14:06
slaweqcurrently number of connections is set on node globally and with that it could be changed per port or per network14:06
ralonsohI think the idea of using the QoS API is good, IMO14:07
ralonsohI would ask for a spec, because this is a complex feature, but I'm good with this14:08
mlavallein priciple it is a good idea, but I14:08
slaweqfor sure I will write spec for this before doing any code changes :)14:08
mlavallewould really like to see a spec14:08
haleybagreed, since it took me a minute to figure out how QoS applied, but it's more just the API to get the info into neutron14:09
haleybif i'm understanding it correctly14:10
slaweqyeap, you are14:10
mlavallesince a spec will be provided, +1 from me14:10
ralonsoh+114:10
haleyb+1 from me14:10
opendevreviewRico Lin proposed openstack/neutron master: Fix ovn db sync with log resources  https://review.opendev.org/c/openstack/neutron/+/94805314:11
opendevreviewRico Lin proposed openstack/neutron master: Update instead of recreate acl in ovn sync  https://review.opendev.org/c/openstack/neutron/+/94821514:11
haleybobondarev: vote?14:11
obondarev+1 with the spec14:11
haleybgreat, that's three, i'll update the rfe flags, etc14:12
haleybnext one i added and i see yusufgungor_ is here14:13
slaweqthanks14:13
haleyb#link https://bugs.launchpad.net/neutron/+bug/210763414:13
yusufgungor_can i get your comments? do you think it is doable?14:14
opendevreviewRico Lin proposed openstack/neutron master: Update instead of recreate acl in ovn sync  https://review.opendev.org/c/openstack/neutron/+/94821514:14
haleybyusufgungor_: can you give a short overview as it's a large descrtiption in the bug14:15
yusufgungor_we aim to apply acl rules between the tenant networks so trying to send the different vxlan tenant networks traffic to the external firewall14:16
yusufgungor_but using dvr and bgp, it is not possible for the instances which are located on the same host14:17
slaweqcan you maybe use neutron-fwaas to apply SG rules on the router's level? Would that be solution for you maybe?14:17
yusufgungor_we have tried the security group rules but no chance14:18
yusufgungor_ We cannot use Security Groups because we cannot manage ACLs centrally and easily, and as discussed in a bug report we previously submitted, packet loss during live migration increases dramatically as the number of rules grows. Neutron developers informed us that there is no definitive solution for this, and it operates on a best-effort basis. (https://bugs.launchpad.net/neutron/+bug/1970606) Therefore, we need to 14:18
yusufgungor_route the traffic between tenant networks through a physical firewall.14:18
ralonsohso what you are basically proposing is a way to, via configuration, revert https://review.opendev.org/c/openstack/neutron/+/35506214:19
ralonsohis that a quick summary?14:19
slaweqI'm not talking abotut SGs  but fwaas: https://docs.openstack.org/neutron/latest/admin/fwaas.html which is a bit different thing14:19
yusufgungor_@ralansoh yes 14:20
yusufgungor_@slaweq you are right but we have not tried fwaas because it was deprecated once before, so we had doubts about using it14:22
mlavalleralonsoh: wasn't that patch reverted here https://review.opendev.org/c/openstack/neutron/+/468075?14:22
ralonsohmlavalle, sorry, the other one: https://review.opendev.org/c/openstack/neutron/+/28375714:23
slaweqmlavalle isn't https://review.opendev.org/c/openstack/neutron/+/474007 adding the same again?14:23
ralonsohin any case, is the code related to https://bugs.launchpad.net/neutron/+bug/157748814:24
yusufgungor_@ralansoh yes you are right. actually one can say that this behaviour is normal because these tenant networks are belong to same address scope 14:26
slaweqI am reading this LP once again and there is one thing which worries me. You said "instances in VXLAN tenant networks located in different routers within different projects can directly access each other if they are on the same compute host." - does it means that instances from 2 different tenant networks can talk to each other if they are on the same host?14:26
slaweqor am I misunderstanding something there?14:26
yusufgungor_@slaweq  you are right, that is the case, the instances which are on the same host can talk the each other directly on the fip netns of the host14:28
mlavalleI understood that from the LP14:28
haleybi'm assuming only if in the same address scope?14:28
ralonsohwell, they can route the traffic, not talk directly14:28
yusufgungor_because the external gw of the routers are the same vlan provider network. tenant networks and the provider networks also on the same address scope. (bgp requirements)14:29
slaweqbut how - do the have somehow L2 connectivity or L3 using SNAT/FIPs ?14:29
slaweqralonsoh ok, I think I understand now14:30
yusufgungor_sorry, when saying directly i mean routing. (instead of the default gw of the provider networks)14:30
ralonsohbut I have question (because I dont' remember now the architecture)14:30
ralonsohthere is a FIP namespace per router, right?14:30
slaweqso basically neutron works as expected here, the only problem is that there is no way for the operator to apply rule which would prevent such kind of communication between different tenant networks using External network14:30
yusufgungor_actually not per router, per external provider network, we have seen in our tests14:31
slaweqralonsoh FIP namespace is one per external network IIRC14:31
yusufgungor_@org.matrix:slaweq  yes, we are looking for a way to prevent that routing14:31
ralonsohhmmmm yeah, that could be a problem if we just allow routing any port inside this namespace14:31
ralonsohanother question: how do we create this address scopes?14:32
ralonsohbecause this is what is allowing the routing between IPs inside the FIP namespace14:32
haleybopenstack address scope create ...14:33
ralonsohno, I mean how are we "connecting" these subnets inside the FIP namespace14:33
haleybi know we wrote a whole section in the docs for these cases so that users could allocate blocks, but think that patch is just doing it ?14:34
haleybi.e. dvr_local_router.py14:35
haleybit's been a while since i've looked at dvr as well14:35
ralonsohIf a gateway is configured and if it has internal ports that belong14:35
ralonsohto the same address_scopes then no need to add the redirect rules.14:35
ralonsohAt the same we should also add a static route in the fip namespace14:35
ralonsohfor every interface that is connected to the router that belongs to14:35
ralonsohthe same address scope.14:35
ralonsohfrom the patch14:36
ralonsohshould we also check that the port belongs to the same router of the FIP?14:36
ralonsohbecause we can have several subnets, belonging to different routers, with the same address scope14:36
ralonsohthat is something legit14:36
haleybwe would need to loop-in someone like liushy since i think he still runs ml2/ovs/dvr in production14:38
yusufgungor_actually the routes on the fip netns from different routers used to get traffic inside to the compute node when using bgp. so these routes are acceptable but they should only used for the incoming traffic to the agent gw port. not the traffic goes from qrouters to the fip netns14:38
ralonsohis that something that we can reproduce without bgp?14:39
yusufgungor_you check the solution file which we have added to the bug report14:40
yusufgungor_https://launchpadlibrarian.net/788646867/fip-netns-ip-route-rule.txt14:40
ralonsohjust with two routers with dvr and several VMs in the same compute?14:40
slaweqhaleyb I don't know about liushy but for sure liuyulong is using it in their production14:40
haleybslaweq: sorry wrong nick14:40
mlavalleyusufgungor_: you've deployed https://launchpadlibrarian.net/788646867/fip-netns-ip-route-rule.txt and achieved the result you describe above?14:41
yusufgungor_@ralonsoh i am not sure, we can try to disable bgp, removing address scopes etc to see it. if you need that14:41
ralonsohnot removing address scopes, that is a neutron feature14:42
ralonsohbut seems that can be reproduced just with a couple of routers, one FIP and one single compute node with a dvr router14:42
yusufgungor_we have created a new ip table and moved the routes from the routers to the in it (from main table to that table) then make an ip rule to use this table for only the exiting traffic from qrouters to the fip netns14:42
ralonsohif that is the case, that could be much easier to test14:42
yusufgungor_* sorry, that would be incoming traffic14:43
haleybbrb, doorbell14:43
yusufgungor_@ralonsoh i hope 14:44
ralonsohyusufgungor_, in any case, is this isolation breaking the previous feature?14:44
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/474007 ^14:44
ralonsoh(I'm not saying this is bad if there is a bug)14:44
yusufgungor_@ralonsoh as far as I understand, no14:45
yusufgungor_actually that behaviour is not a problem for the most of the neutron users. Keeping the same tenant network traffic on the same host is acceptable. But in our case we have SOX cybersecurity compliance and find a way to disable this behaviour 14:46
yusufgungor_we can make the change using a new flag like isolate_tenant_networks etc and keep the old behaviour as default 14:46
yusufgungor_* same tenant network traffic = same address scoped tenant network14:47
ralonsohok I think you should propose a patch for Neutron but with a good documentation and testing14:48
yusufgungor_the probability of this patch coming from the community is almost zero, right? Just asking to be sure 😀14:49
mlavalleunlikely14:49
ralonsohI don't think so but you can ask via mail14:49
ralonsohbtw, this is not strictly a bug, as you asked in the LP14:50
yusufgungor_I asked to forward this to my manager regarding the time spent on development, thanks14:50
yusufgungor_yes it is not a bug when you look at from the address scope site, but using the address scopes is not a choice, it is must when using dynamic routing 14:51
haleybok, so it sounds like we need a spec? 14:52
ralonsohI think so, at least to describe this new feature14:52
yusufgungor_ok but i can't make promises, I need to talk to my manager about making time14:53
haleybsure, so then should we vote? it seems there is a need for this14:53
mlavalleunderstood14:53
mlavalle+114:53
ralonsoh+114:54
obondarev+114:54
haleyb+114:54
haleybyusufgungor_: thanks for bringing it up14:54
slaweq+114:55
haleybsince we don't have much time will move on to last rfe14:55
yusufgungor_thanks you for your time guys 🙏14:55
haleyb#link https://bugs.launchpad.net/neutron/+bug/209227114:55
ralonsohvery quick14:55
ralonsohI'm implenting that in https://review.opendev.org/q/topic:%22bug/2092271%2214:55
ralonsohbut when doing the last patches (https://review.opendev.org/c/openstack/neutron/+/947906)14:55
ralonsohThere was a report about ovn-octavia-provider14:56
ralonsohthat is relying on lrp.gateway_chassis14:56
ralonsohthe patch for this project: https://review.opendev.org/c/openstack/ovn-octavia-provider/+/94324314:56
ralonsohmy question: can we backport it to 2025.1, send a mail to upgrade to this version and then implement the change in neutron in 2026.1?14:57
ralonsohI'm saying this because if we cannot do this (the backport)14:57
ralonsohwe would need to wait for 2027.114:57
ralonsohat this point, I'll be closer to my retirement!14:57
ralonsohI know I'm blending a bit the SLURP release cadence by asking for this backport (https://review.opendev.org/c/openstack/ovn-octavia-provider/+/943243)14:58
haleybwe all will :)14:58
ralonsohif we all agree with this, I'll send the backport, the releases patch for a new release and a mail14:58
haleybralonsoh: i don't think the backport to 2025.1 would break anything as it does check for ha_chassis_group14:59
ralonsohnot at all, the backport won't break anything14:59
slaweqif it won't break things I am fine with it15:00
haleybralonsoh: the other thing i saw you mention is there is no neutron requirement there, does that need to be addressed?15:00
haleybseparate issue i suppose15:01
ralonsohhmmmm I thought that was mandatory for any project. ovn-octavia-provider requires neutron15:01
ralonsohyes, separate issue15:01
ralonsohlet me check that and I'll raise that topic next week15:01
ralonsoh(or open a LP bug)15:01
haleybi only saw neutron-lib in requirements.txt just now15:01
haleyback15:02
haleyb+1 for backport15:02
mlavalle+115:03
ralonsohthank you folks 15:03
haleybwe can all retire before 2027.1 now :)15:03
ralonsohyeah!15:03
obondarev+115:03
ralonsoh(sorry for the extra time)15:03
haleybnp15:04
slaweqhaleyb yeah \o/15:04
haleybthat was the last item, anything else? if not have a nice weekend everyone!15:04
haleyb#endmeeting15:04
opendevmeetMeeting ended Fri Apr 25 15:04:54 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:04
opendevmeetMinutes:        https://meetings.opendev.org/meetings/neutron_drivers/2025/neutron_drivers.2025-04-25-14.00.html15:04
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/neutron_drivers/2025/neutron_drivers.2025-04-25-14.00.txt15:04
opendevmeetLog:            https://meetings.opendev.org/meetings/neutron_drivers/2025/neutron_drivers.2025-04-25-14.00.log.html15:04
haleybo/15:04
ralonsohhave a nice weekend!15:04
slaweqthx, have a nice weekend all15:05
obondarev\o15:05
mlavalle\o15:05
haleybyusufgungor_: feel free to ping me, or ask in the bug, if you have question on proposing a spec15:05
yusufgungor_ok, thanks @haleyb15:07
sahidhaleyb: o/ if you have a moment, this is still blocked by your vote https://review.opendev.org/c/openstack/neutron/+/94098315:17
sahidthanks in advance15:17
opendevreviewMerged openstack/ovn-octavia-provider master: Prepare to handle ha_chassis_group for LRP  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/94324316:28
opendevreviewMerged openstack/neutron-tempest-plugin master: Add neutron-tempest-plugin-fwaas-ovn job  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/94758717:28
-opendevstatus- NOTICE: Gerrit is getting restarted to pick up container image updates. It should only be gone for a moment.18:16
opendevreviewMiguel Lavalle proposed openstack/neutron master: [DNM] Debug L3 HA fullstack tests  https://review.opendev.org/c/openstack/neutron/+/94828023:44

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!