Friday, 2015-06-05

« Thursday, 2015-06-04 Index Saturday, 2015-06-06 »
*** saneax has quit IRC00:04
*** mahito has quit IRC00:07
*** mdorman has quit IRC00:08
*** mahito has joined #openstack-operators00:09
*** VW has quit IRC00:11
*** markvoelker has joined #openstack-operators00:13
*** blair has joined #openstack-operators00:17
*** markvoelker has quit IRC00:18
klindgren__mgagne, you around?00:24
mgagneklindgren__: I am, what can I do for you?00:25
klindgren__cool - you said a while ago that you had a hack to re-add the NWfilter stuff to vifs crated under neutron00:25
klindgren__does that hack also work with allowed address pairs?00:25
mgagneklindgren__: not at all, it's not aware of allowed address pairs00:26
klindgren__*sigh*00:27
klindgren__looks like the platform independent arp spoofing stuff has been rejected on the final patches00:27
mgagneyea, I'm not even sure how I will migrate out from that after anti-spoofing lands in neutron00:27
klindgren__but the OVS based arp spoofing filters got put in00:27
*** Piet_ has joined #openstack-operators00:27
klindgren__mgagne, we did the migration not to long ago - luckily neutron rebuilds all the iptables rules00:28
klindgren__so restart neutron-<whatever>-agent00:28
klindgren__it will ad its filter rules above neutrons00:28
mgagneklindgren__: how do you remove the ones defined by libvirt?00:29
klindgren__above novas*00:29
klindgren__hrm00:29
klindgren__thinking....00:29
klindgren__I dont actually recall having to do that....00:29
mgagnewe are talking about ebtables right?00:30
klindgren__I assume this is where my testing went south00:30
klindgren__:-)00:30
*** klindgren__ is now known as klindgren00:33
*** stanchan has quit IRC00:40
klindgrenso I am pretty sure I focused on iptables only in my testing.  Not realizing that arp couldn't be filtered by iptables - at the time.00:40
WormManyay! arptables, yay! ebtables00:49
WormManyay! lobotomy!00:49
WormManer, sorry :)00:49
*** chlong has quit IRC00:52
*** chlong has joined #openstack-operators00:54
klindgrenWormMan, exactly01:06
*** alop has quit IRC01:37
*** rsemenov has quit IRC01:40
*** mahito has quit IRC01:44
*** mahito has joined #openstack-operators01:46
*** mahito_ has joined #openstack-operators01:48
*** mahito has quit IRC01:48
*** mahito has joined #openstack-operators01:49
*** mahito_ has quit IRC01:49
*** dboik has joined #openstack-operators01:52
*** dboik_ has joined #openstack-operators01:54
*** dboik has quit IRC01:57
*** markvoelker has joined #openstack-operators02:02
*** markvoelker has quit IRC02:07
*** Piet_ has quit IRC02:15
*** zul has quit IRC03:08
*** zul has joined #openstack-operators03:20
*** csoukup has joined #openstack-operators03:47
*** csoukup has quit IRC03:47
*** markvoelker has joined #openstack-operators03:50
*** markvoelker has quit IRC03:55
*** matrohon has joined #openstack-operators03:56
*** saneax has joined #openstack-operators04:03
*** matrohon has quit IRC04:36
*** maishsk_afk has quit IRC04:44
*** maishsk_afk_ has joined #openstack-operators04:44
*** markvoelker has joined #openstack-operators05:39
*** markvoelker has quit IRC05:44
*** maishsk_afk_ has quit IRC05:49
*** maishsk_afk has joined #openstack-operators05:50
*** belmoreira has joined #openstack-operators05:55
*** blair has quit IRC05:56
*** maishsk_afk has quit IRC06:08
*** maishsk_afk has joined #openstack-operators06:14
*** maishsk_afk has quit IRC06:22
*** simon-AS559 has joined #openstack-operators06:37
*** maishsk_afk has joined #openstack-operators06:38
*** simon-AS559 has quit IRC07:14
*** matrohon has joined #openstack-operators07:15
*** beddari has quit IRC07:20
*** Miouge_ has joined #openstack-operators07:26
*** maishsk_afk has quit IRC07:27
*** markvoelker has joined #openstack-operators07:28
*** Miouge has quit IRC07:29
*** Miouge_ is now known as Miouge07:29
*** Miouge has quit IRC07:31
*** markvoelker has quit IRC07:33
*** beddari has joined #openstack-operators07:33
*** Miouge has joined #openstack-operators07:35
*** beddari1 has quit IRC07:46
*** mahito has quit IRC07:59
*** simon-AS559 has joined #openstack-operators08:00
*** simon-AS5591 has joined #openstack-operators08:01
*** simon-AS559 has quit IRC08:04
*** Miouge has quit IRC08:05
*** maishsk_afk has joined #openstack-operators08:07
*** Miouge has joined #openstack-operators08:08
*** beddari1 has joined #openstack-operators08:09
*** beddari1 has quit IRC08:10
*** Miouge has quit IRC08:11
*** bvandenh has joined #openstack-operators08:11
*** Miouge has joined #openstack-operators08:22
*** maishsk_afk has quit IRC08:24
*** maishsk_afk has joined #openstack-operators08:25
*** maishsk_afk has quit IRC08:29
*** chlong has quit IRC08:34
*** markvoelker has joined #openstack-operators09:17
*** markvoelker has quit IRC09:22
*** racedo_ has joined #openstack-operators09:23
*** markvoelker has joined #openstack-operators10:17
*** markvoelker has quit IRC10:23
*** markvoelker has joined #openstack-operators11:18
*** markvoelker has quit IRC11:22
*** blair has joined #openstack-operators11:23
*** radez is now known as radez_g0n311:23
*** blair has quit IRC11:26
*** blair has joined #openstack-operators11:38
*** blair has quit IRC11:38
*** racedo_ has quit IRC11:40
*** ferest has joined #openstack-operators12:11
*** maishsk_afk has joined #openstack-operators12:12
*** zul has quit IRC12:16
*** zul has joined #openstack-operators12:16
*** ferest has quit IRC12:17
*** maishsk_afk has quit IRC12:18
*** xavpaice has quit IRC12:22
*** xavpaice has joined #openstack-operators12:22
*** dminer has joined #openstack-operators12:31
*** markvoelker has joined #openstack-operators12:34
*** racedo_ has joined #openstack-operators12:35
*** VW has joined #openstack-operators12:36
*** markvoelker has quit IRC12:38
*** bvandenh_ has joined #openstack-operators12:39
*** bvandenh has quit IRC12:39
*** racedo_ has quit IRC12:39
*** bvandenh_ has quit IRC12:43
*** radez_g0n3 is now known as radez12:52
*** maishsk_afk has joined #openstack-operators12:52
*** racedo_ has joined #openstack-operators12:54
*** bvandenh_ has joined #openstack-operators12:56
*** MeganR has left #openstack-operators12:58
*** alaski is now known as lascii13:02
*** Piet has joined #openstack-operators13:15
*** bvandenh_ has quit IRC13:20
*** VW has quit IRC13:34
*** maishsk_afk has quit IRC13:35
*** racedo_ has quit IRC13:37
*** jaypipes is now known as leakypipes13:43
*** racedo_ has joined #openstack-operators13:51
*** maishsk_afk has joined #openstack-operators13:56
*** simon-AS559 has joined #openstack-operators13:59
*** VW has joined #openstack-operators14:00
*** simon-AS5591 has quit IRC14:02
*** markvoelker has joined #openstack-operators14:05
*** saneax has quit IRC14:09
*** maishsk_afk has quit IRC14:09
dmsimardklindgren: Saw your chat with mgagne yesterday14:09
*** markvoelker has quit IRC14:09
*** esker has joined #openstack-operators14:09
*** racedo_ has quit IRC14:12
dmsimardmgagne and I work on the same public cloud - We had this case of a customer that tried to attach multiple NICs to his VMs with IPs in the same subnet and lots of interesting things happen when you do that14:13
dmsimardLike the "who has" ARP requests make it to the right NIC but the replies are sent from another NIC so it's caught by anti-spoofing14:13
*** esker has quit IRC14:14
*** esker has joined #openstack-operators14:15
dmsimardApparently it's hard to have IP addresses in the same subnet on different network interfaces (usually you'd put them as secondary like eth1:1, etc.)14:17
dmsimardThe workaround he's come up with: http://paste.openstack.org/show/266066/14:18
dmsimardObviously configuring additional IPs as eth1:1 would fail due to anti-spoofing14:19
*** racedo_ has joined #openstack-operators14:19
claytonI was reading about something similar this morning.  apparently another approach is to create a neutron port with multiple ip addresses14:19
claytonthen you can configure the addition ethx:y interfaces14:19
*** maishsk_afk has joined #openstack-operators14:21
dmsimardclayton: Interesting, does look like you can do that upon creation of the port but not afterwards (via port-update)14:22
dmsimardI might just try that to see what happens14:22
claytonit looks like you can also disable the anti-spoofing rules in kilo, reading up on that now14:23
claytonwe're running our openstack dev environments on top of openstack, so I want to be able to run virtual routers w/vxlan networks in that environment14:23
claytonso I need to be able to give the node running the virtual router the ability to spoof traffic14:23
*** rlrevell has joined #openstack-operators14:24
dmsimardOh, we have a dev environment based on Openstack too but we've disabled anti-spoofing and security groups altogether14:24
dmsimardMakes it.. easier14:24
claytonwe run out dev environments on top of the prod environment, so that might not work for us ;)14:25
dmsimardFair enough14:25
claytonideally I want to be able to disable it on a per network basis, or worst case, per port basis14:25
*** simon-AS559 has quit IRC14:27
*** maishsk_afk has quit IRC14:30
dmsimardYeah, anti-spoofing is great and all but makes stuff like load balancing or routing a pain14:32
*** belmoreira has quit IRC14:42
*** maishsk_afk has joined #openstack-operators14:52
klindgrenI didn't think you could have more than 1 ip address on a port in neutron?14:53
andyhkyklindgren: https://wiki.openstack.org/wiki/Neutron/APIv2-specification#Port14:54
andyhkyfixed_ips is a list14:54
dmsimardThe option is repeatable14:56
dmsimardOn the port-create command14:56
*** maishsk_afk has quit IRC15:00
klindgrendmsimard per the CLI tool for port update: subnet_id=SUBNET,ip_address=IP_ADDR Desired IP and/or subnet for this port: subnet_id=<name_or_id>,ip_address=<ip>. You can repeat this option15:05
dmsimardklindgren: For port update or port create? I don't see the option on update - if it exists my client might be outdated15:06
klindgrenhttp://docs.openstack.org/cli-reference/content/neutronclient_commands.html#neutronclient_subcommand_port-update15:06
klindgrenits under update15:06
dmsimardAh, yup - just updated neutronclient and I see it now.15:07
*** Miouge has quit IRC15:08
*** Miouge has joined #openstack-operators15:25
*** simon-AS559 has joined #openstack-operators15:27
*** simon-AS5591 has joined #openstack-operators15:28
*** simon-AS559 has quit IRC15:29
*** markvoelker has joined #openstack-operators15:30
*** mdorman has joined #openstack-operators15:31
*** racedo_ has quit IRC15:31
*** simon-AS5591 has quit IRC15:33
*** markvoelker has quit IRC15:34
*** gyee_ has joined #openstack-operators15:38
*** alop has joined #openstack-operators15:45
*** david-lyle has quit IRC15:46
*** david-lyle has joined #openstack-operators15:46
*** alop has quit IRC15:48
*** matrohon has quit IRC15:52
*** alop has joined #openstack-operators15:54
*** Miouge has quit IRC16:00
*** matrohon has joined #openstack-operators16:22
*** Miouge has joined #openstack-operators16:23
*** simon-AS559 has joined #openstack-operators16:35
*** simon-AS559 has quit IRC16:41
*** Miouge has quit IRC16:42
*** Miouge has joined #openstack-operators16:44
*** Miouge has quit IRC16:45
*** Miouge has joined #openstack-operators16:46
*** alop has quit IRC16:50
*** VW has quit IRC16:57
*** markvoelker has joined #openstack-operators17:19
*** markvoelker has quit IRC17:24
*** harlowja has quit IRC17:27
*** harlowja has joined #openstack-operators17:32
*** dminer has quit IRC18:04
*** Piet has quit IRC18:18
*** alop has joined #openstack-operators18:18
*** VW has joined #openstack-operators18:32
*** VW has quit IRC18:33
*** VW has joined #openstack-operators18:34
*** VW has quit IRC18:34
*** VW has joined #openstack-operators18:35
*** VW has quit IRC18:39
*** blair has joined #openstack-operators18:41
*** blair has quit IRC18:41
*** VW has joined #openstack-operators18:44
*** harlowja has quit IRC18:46
*** gyee_ has quit IRC18:47
*** harlowja has joined #openstack-operators18:53
*** serverascode has quit IRC18:54
*** jraim has quit IRC18:54
*** simonmcc has quit IRC18:54
*** j05hk has quit IRC19:00
*** markvoelker has joined #openstack-operators19:08
*** dminer has joined #openstack-operators19:09
*** markvoelker has quit IRC19:12
*** radez is now known as radez_g0n319:15
klindgrendmsimard, couldn't you also fix that by playing with the arp sysctl settings arp_announce and arp_ignore?19:22
klindgrenEG arp_ignore = 1 1 - reply only if the target IP address is local address19:23
klindgrenconfigured on the incoming interface19:23
klindgrendefault is 0 which is reply to any request for any ip configured on any interface19:24
dmsimardklindgren: I haven't spent too much time on the whole thing (yet)19:24
dmsimardIdeally iptables and ebtables would be managed by neutron and would handle everything gracefully19:25
dmsimardBut we're not going to see that until Liberty (or Kilo? Haven't checked the commits in a bit)19:25
klindgrenyea - which btw the last 2 of the 4 patches for that have been abondend now19:25
dmsimardHow come ?19:25
klindgrenI dunno19:26
klindgrenI have been trying to get more info - bascially they rejected the code or concept or something19:26
dmsimardOh haven't I seen something about them wanting to do something "different" than what they implemented for iptables ?19:26
klindgrenMark M is going to solve it some other way19:26
klindgrenI htink the complaints were that an Ebtables manager and an iptables manager did similar stuff and could probably be refactored to use the same code path19:27
klindgrenor something like that - but I haven't found any links ot the discussion19:27
klindgrenhttps://bugs.launchpad.net/neutron/+bug/127403419:28
openstackLaunchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,In progress] - Assigned to Mark McClain (markmcclain)19:28
klindgrenspecifically https://bugs.launchpad.net/neutron/+bug/1274034/comments/5619:28
*** leakypipes has quit IRC19:34
*** mdorman has quit IRC19:50
*** mdorman has joined #openstack-operators19:56
*** j05hk has joined #openstack-operators20:02
*** rlrevell has quit IRC20:03
*** VW has quit IRC20:19
*** markvoelker has joined #openstack-operators20:24
*** VW has joined #openstack-operators20:25
*** markvoelker has quit IRC20:28
*** jraim has joined #openstack-operators20:38
*** simonmcc has joined #openstack-operators20:44
*** serverascode has joined #openstack-operators20:50
*** toddnni has joined #openstack-operators21:16
*** csoukup has joined #openstack-operators21:18
*** VW has quit IRC21:18
*** esker has quit IRC21:29
*** VW has joined #openstack-operators21:29
*** Miouge has quit IRC21:37
*** blair has joined #openstack-operators21:38
*** Marga_ has joined #openstack-operators21:39
*** Marga_ has quit IRC21:39
*** Marga_ has joined #openstack-operators21:40
*** openstack has joined #openstack-operators21:42
*** Piet has joined #openstack-operators21:51
*** csoukup has quit IRC21:51
*** ToMiles has quit IRC21:54
*** matrohon has quit IRC22:02
*** markvoelker has joined #openstack-operators22:12
*** VW has quit IRC22:12
*** VW has joined #openstack-operators22:13
*** markvoelker has quit IRC22:17
*** VW has quit IRC22:25
*** dminer has quit IRC22:34
*** jsnow is now known as jsnow[dead]22:36
*** j05hk has quit IRC22:38
*** rlrevell has joined #openstack-operators22:45
*** Marga_ has quit IRC22:53
*** bradjones is now known as bradjones_away23:00
*** rlrevell has left #openstack-operators23:17
*** bradjones_away is now known as bradjones23:20
*** bradjones has quit IRC23:42
*** bradjones has joined #openstack-operators23:42
*** bradjones is now known as bradjones_away23:47
*** dboik_ has quit IRC23:50
*** bradjones_away is now known as bradjones|away23:52
« Thursday, 2015-06-04 Index Saturday, 2015-06-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!