Re: [openstack-dev] [horizon] [heat-dashboard] Horizon plugin settings for new xstatic modules

[Akihiro Motoki]

Hi Kaz,

These repositories are under horizon project. It looks better to keep the
current core team.
It potentially brings some confusion if we treat some horizon plugin team
specially.
Reviewing xstatic repos would be a small burden, wo I think it would work
without problem even if only horizon-core can approve xstatic reviews.


2018-03-20 10:02 GMT+09:00 Kaz Shinohara :

> Hi Ivan, Horizon folks,
>
>
> Now totally 8 xstatic-** repos for heat-dashboard have been landed.
>
> In project-config for them, I've set same acl-config as the existing
> xstatic repos.
> It means only "xstatic-core" can manage the newly created repos on gerrit.
> Could you kindly add "heat-dashboard-core" into "xstatic-core" like as
> what horizon-core is doing ?
>
> xstatic-core
> https://review.openstack.org/#/admin/groups/385,members
>
> heat-dashboard-core
> https://review.openstack.org/#/admin/groups/1844,members
>
> Of course, we will surely touch only what we made, just would like to
> manage them smoothly by ourselves.
> In case we need to touch the other ones, will ask Horizon team for help.
>
> Thanks in advance.
>
> Regards,
> Kaz
>
>
> 2018-03-14 15:12 GMT+09:00 Xinni Ge :
> > Hi Horizon Team,
> >
> > I reported a bug about lack of ``ADD_XSTATIC_MODULES`` plugin option,
> >  and submitted a patch for it.
> > Could you please help to review the patch.
> >
> > https://bugs.launchpad.net/horizon/+bug/1755339
> > https://review.openstack.org/#/c/552259/
> >
> > Thank you very much.
> >
> > Best Regards,
> > Xinni
> >
> > On Tue, Mar 13, 2018 at 6:41 PM, Ivan Kolodyazhny 
> wrote:
> >>
> >> Hi Kaz,
> >>
> >> Thanks for cleaning this up. I put +1 on both of these patches
> >>
> >> Regards,
> >> Ivan Kolodyazhny,
> >> http://blog.e0ne.info/
> >>
> >> On Tue, Mar 13, 2018 at 4:48 AM, Kaz Shinohara 
> >> wrote:
> >>>
> >>> Hi Ivan & Horizon folks,
> >>>
> >>>
> >>> Now we are submitting a couple of patches to have the new xstatic
> >>> modules.
> >>> Let me request you to have review the following patches.
> >>> We need Horizon PTL's +1 to move these forward.
> >>>
> >>> project-config
> >>> https://review.openstack.org/#/c/551978/
> >>>
> >>> governance
> >>> https://review.openstack.org/#/c/551980/
> >>>
> >>> Thanks in advance:)
> >>>
> >>> Regards,
> >>> Kaz
> >>>
> >>>
> >>> 2018-03-12 20:00 GMT+09:00 Radomir Dopieralski  >:
> >>> > Yes, please do that. We can then discuss in the review about
> technical
> >>> > details.
> >>> >
> >>> > On Mon, Mar 12, 2018 at 2:54 AM, Xinni Ge 
> >>> > wrote:
> >>> >>
> >>> >> Hi, Akihiro
> >>> >>
> >>> >> Thanks for the quick reply.
> >>> >>
> >>> >> I agree with your opinion that BASE_XSTATIC_MODULES should not be
> >>> >> modified.
> >>> >> It is much better to enhance horizon plugin settings,
> >>> >>  and I think maybe there could be one option like
> ADD_XSTATIC_MODULES.
> >>> >> This option adds the plugin's xstatic files in STATICFILES_DIRS.
> >>> >> I am considering to add a bug report to describe it at first, and
> give
> >>> >> a
> >>> >> patch later maybe.
> >>> >> Is that ok with the Horizon team?
> >>> >>
> >>> >> Best Regards.
> >>> >> Xinni
> >>> >>
> >>> >> On Fri, Mar 9, 2018 at 11:47 PM, Akihiro Motoki 
> >>> >> wrote:
> >>> >>>
> >>> >>> Hi Xinni,
> >>> >>>
> >>> >>> 2018-03-09 12:05 GMT+09:00 Xinni Ge :
> >>> >>> > Hello Horizon Team,
> >>> >>> >
> >>> >>> > I would like to hear about your opinions about how to add new
> >>> >>> > xstatic
> >>> >>> > modules to horizon settings.
> >>> >>> >
> >>> >>> > As for Heat-dashboard project embedded 3rd-party files issue,
> >>> >>> > thanks
> >>> >>> > for
> >>> >>> > your advices in Dublin PTG, we are now removing them and
> >>> >>> > referencing as
> >>> >>> > new
> >>> >>> > xstatic-* libs.
> >>> >>>
> >>> >>> Thanks for moving this forward.
> >>> >>>
> >>> >>> > So we installed the new xstatic files (not uploaded as openstack
> >>> >>> > official
> >>> >>> > repos yet) in our development environment now, but hesitate to
> >>> >>> > decide
> >>> >>> > how to
> >>> >>> > add the new installed xstatic lib path to STATICFILES_DIRS in
> >>> >>> > openstack_dashboard.settings so that the static files could be
> >>> >>> > automatically
> >>> >>> > collected by *collectstatic* process.
> >>> >>> >
> >>> >>> > Currently Horizon defines BASE_XSTATIC_MODULES in
> >>> >>> > openstack_dashboard/utils/settings.py and the relevant static
> fils
> >>> >>> > are
> >>> >>> > added
> >>> >>> > to STATICFILES_DIRS before it updates any Horizon plugin
> dashboard.
> >>> >>> > We may want new plugin setting keywords ( something similar to
> >>> >>> > ADD_JS_FILES)
> >>> >>> > to update horizon XSTATIC_MODULES (or directly update
> >>> >>> > STATICFILES_DIRS).
> >>> >>>
> >>> >>> IMHO it is better to allow horizon plugins to add xstatic modules
> >>> >>> through horizon 

[openstack-dev] [cinder] Support share backup to different projects?

[TommyLike Hu]

Now Cinder can transfer volume (with or without snapshots) to different
projects,  and this make it possbile to transfer data across tenant via
volume or image. Recently we had a conversation with our customer from
Germany, they mentioned they are more pleased if we can support transfer
data accross tenant via backup not image or volume, and these below are
some of their concerns:

1. There is a use case that they would like to deploy their
develop/test/product systems in the same region but within different
tenants, so they have the requirment to share/transfer data across tenants.

2. Users are more willing to use backups to secure/store their volume data
since backup feature is more advanced in product openstack version
(incremental backups/periodic backups/etc.).

3. Volume transfer is not a valid option as it's in AZ and it's a
complicated process if we would like to share the data to multiple projects
(keep copy in all the tenants).

4. Most of the users would like to use image for bootable volume only and
share volume data via image means the users have to maintain lots of image
copies when volume backup changed as well as the whole system needs to
differentiate bootable images and none bootable images, most important, we
can not restore volume data via image now.

5. The easiest way for this seems to support sharing backup to different
projects, the owner project have the full authority while shared projects
only can view/read the backups.

6. AWS has the similar concept, share snapshot. We can share it by modify
the snapshot's create volume permissions [1].

Looking forward to any like or dislike or suggestion on this idea accroding
to my feature proposal experience:)


Thanks
TommyLike


[1]:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][vote] core nomination for caoyuan

[Jeffrey Zhang]

Time is up.

Welcome caoyuan join core team :D

On Fri, Mar 16, 2018 at 2:57 PM, duon...@vn.fujitsu.com <
duon...@vn.fujitsu.com> wrote:

> +1
>
>
>
> *From:* Jeffrey Zhang [mailto:zhang.lei@gmail.com]
> *Sent:* Monday, March 12, 2018 9:07 AM
> *To:* OpenStack Development Mailing List  openstack.org>
> *Subject:* [openstack-dev] [kolla][vote] core nomination for caoyuan
>
>
>
> ​​Kolla core reviewer team,
>
>
>
> It is my pleasure to nominate caoyuan for kolla core team.
>
>
>
> caoyuan's output is fantastic over the last cycle. And he is the most
>
> active non-core contributor on Kolla project for last 180 days[1]. He
>
> focuses on configuration optimize and improve the pre-checks feature.
>
>
>
> Consider this nomination a +1 vote from me.
>
>
>
> A +1 vote indicates you are in favor of caoyuan as a candidate, a -1
>
> is a veto. Voting is open for 7 days until Mar 12th, or a unanimous
>
> response is reached or a veto vote occurs.
>
>
>
> [1] http://stackalytics.com/report/contribution/kolla-group/180
>
> --
>
> Regards,
>
> Jeffrey Zhang
>
> Blog: http://xcodest.me
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Regards,
Jeffrey Zhang
Blog: http://xcodest.me
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Nova] [Cyborg] Tracking multiple functions

[Alex Xu]

2018-03-19 0:34 GMT+08:00 Nadathur, Sundar :

> Sorry for the delayed response. I broadly agree with previous replies.
> For the concerns about the impact of Cyborg weigher on scheduling
> performance , there are some options (apart from filtering candidates as
> much as possible in Placement):
> * Handle hosts in bulk by extending BaseWeigher
>  and
> overriding weigh_objects
> (),
> instead of handling one host at a time.
>

Still an external REST call, I guess people still doesn't like that.


>
* If we have to handle one host at a time for whatever reason, since the
> weigher is maintained by Cyborg, it could directly query Cyborg DB rather
> than go through Cyborg REST API. This will be not unlike other weighers.
>

That means when the cyborg DB schema changed, we have to restart the
nova-scheduler to update the weigher also. We couple the two service
upgrade together.


> Given these and other possible optimizations, it may be too soon to worry
> about the performance impact.
>

yea, maybe. What about the preferred traits?


>
> I am working on a spec that will capture the flow discussed in the PTG. I
> will try to address these aspects as well.
>
> Thanks & Regards,
> Sundar
>
>
> On 3/8/2018 4:53 AM, Zhipeng Huang wrote:
>
> @jay I'm also against a weigher in nova/placement. This should be an
> optional step depends on vendor implementation, not a default one.
>
> @Alex I think we should explore the idea of preferred trait.
>
> @Mathew: Like Sean said, Cyborg wants to support both reprogrammable FPGA
> and pre-programed ones.
> Therefore it is correct that in your description, the programming
> operation should be a call from Nova to Cyborg, and cyborg will complete
> the operation while nova waits. The only problem is that the weigher step
> should be an optional one.
>
>
> On Wed, Mar 7, 2018 at 9:21 PM, Jay Pipes  wrote:
>
>> On 03/06/2018 09:36 PM, Alex Xu wrote:
>>
>>> 2018-03-07 10:21 GMT+08:00 Alex Xu > sou...@gmail.com>>:
>>>
>>>
>>>
>>> 2018-03-06 22:45 GMT+08:00 Mooney, Sean K >> >:
>>>
>>> __ __
>>>
>>> __ __
>>>
>>> *From:*Matthew Booth [mailto:mbo...@redhat.com
>>> ]
>>> *Sent:* Saturday, March 3, 2018 4:15 PM
>>> *To:* OpenStack Development Mailing List (not for usage
>>> questions) >> >
>>> *Subject:* Re: [openstack-dev] [Nova] [Cyborg] Tracking multiple
>>> functions
>>>
>>> __ __
>>>
>>> On 2 March 2018 at 14:31, Jay Pipes >> > wrote:
>>>
>>> On 03/02/2018 02:00 PM, Nadathur, Sundar wrote:
>>>
>>> Hello Nova team,
>>>
>>>   During the Cyborg discussion at Rocky PTG, we
>>> proposed a flow for FPGAs wherein the request spec asks
>>> for a device type as a resource class, and optionally a
>>> function (such as encryption) in the extra specs. This
>>> does not seem to work well for the usage model that I’ll
>>> describe below.
>>>
>>> An FPGA device may implement more than one function. For
>>> example, it may implement both compression and
>>> encryption. Say a cluster has 10 devices of device type
>>> X, and each of them is programmed to offer 2 instances
>>> of function A and 4 instances of function B. More
>>> specifically, the device may implement 6 PCI functions,
>>> with 2 of them tied to function A, and the other 4 tied
>>> to function B. So, we could have 6 separate instances
>>> accessing functions on the same device.
>>>
>>> __ __
>>>
>>> Does this imply that Cyborg can't reprogram the FPGA at all?
>>>
>>> */[Mooney, Sean K] cyborg is intended to support fixed function
>>> acclerators also so it will not always be able to program the
>>> accelerator. In this case where an fpga is preprogramed with a
>>> multi function bitstream that is statically provisioned cyborge
>>> will not be able to reprogram the slot if any of the fuctions
>>> from that slot are already allocated to an instance. In this
>>> case it will have to treat it like a fixed function device and
>>> simply allocate a unused  vf  of the corret type if available.
>>> /*
>>>
>>>
>>> 
>>>
>>>
>>> In the current flow, the device type X is modeled as a
>>> resource class, so 

[openstack-dev] [openstack-helm] need an ideation on multiline logging support

[sungil im]

Docker generate container logs in json format, and Fluent-bit deliver the logs.
Fluent-bit provides some mechanism for various logs, but it cannot apply them 
to the logs, because the logs already converted in json-format.
There are some debates on this issue.
https://github.com/moby/moby/issues/22920 

It seems that docker will not support multi-line log for each log, judging from 
above debates.

There is a discussion about this issue, on other monitoring solution.
https://github.com/monasca/monasca-docker/issues/139 


since it would be better to provide multilne support from openstck-helm lma 
deployment, I would like to gather various opinion on what would be the best 
approach for us.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [ceilometer] [gnocchi] keystone verification failed.

[__ mango.]

hi??
 I have a question about the validation of gnocchi keystone.
 I run the following command, but it is not successful.(api.auth_mode :basic, 
basic mode can be 
 # gnocchi status --debug
REQ: curl -g -i -X GET http://localhost:8041/v1/status?details=False -H 
"Authorization: {SHA1}d4daf1cf567f14f32dbc762154b3a281b4ea4c62" -H "Accept: 
application/json, */*" -H "User-Agent: gnocchi keystoneauth1/3.1.0 
python-requests/2.18.1 CPython/2.7.12"
Starting new HTTP connection (1): localhost
http://localhost:8041 "GET /v1/status?details=False HTTP/1.1" 401 114
RESP: [401] Content-Type: application/json Content-Length: 114 
WWW-Authenticate: Keystone uri='http://controller:5000/v3' Connection: 
Keep-Alive 
RESP BODY: {"error": {"message": "The request you have made requires 
authentication.", "code": 401, "title": "Unauthorized"}}
The request you have made requires authentication. (HTTP 401)

Please help me, thank you very much.

Ps:
I have configured the following__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [horizon] [heat-dashboard] Horizon plugin settings for new xstatic modules

[Kaz Shinohara]

Hi Ivan, Horizon folks,


Now totally 8 xstatic-** repos for heat-dashboard have been landed.

In project-config for them, I've set same acl-config as the existing
xstatic repos.
It means only "xstatic-core" can manage the newly created repos on gerrit.
Could you kindly add "heat-dashboard-core" into "xstatic-core" like as
what horizon-core is doing ?

xstatic-core
https://review.openstack.org/#/admin/groups/385,members

heat-dashboard-core
https://review.openstack.org/#/admin/groups/1844,members

Of course, we will surely touch only what we made, just would like to
manage them smoothly by ourselves.
In case we need to touch the other ones, will ask Horizon team for help.

Thanks in advance.

Regards,
Kaz


2018-03-14 15:12 GMT+09:00 Xinni Ge :
> Hi Horizon Team,
>
> I reported a bug about lack of ``ADD_XSTATIC_MODULES`` plugin option,
>  and submitted a patch for it.
> Could you please help to review the patch.
>
> https://bugs.launchpad.net/horizon/+bug/1755339
> https://review.openstack.org/#/c/552259/
>
> Thank you very much.
>
> Best Regards,
> Xinni
>
> On Tue, Mar 13, 2018 at 6:41 PM, Ivan Kolodyazhny  wrote:
>>
>> Hi Kaz,
>>
>> Thanks for cleaning this up. I put +1 on both of these patches
>>
>> Regards,
>> Ivan Kolodyazhny,
>> http://blog.e0ne.info/
>>
>> On Tue, Mar 13, 2018 at 4:48 AM, Kaz Shinohara 
>> wrote:
>>>
>>> Hi Ivan & Horizon folks,
>>>
>>>
>>> Now we are submitting a couple of patches to have the new xstatic
>>> modules.
>>> Let me request you to have review the following patches.
>>> We need Horizon PTL's +1 to move these forward.
>>>
>>> project-config
>>> https://review.openstack.org/#/c/551978/
>>>
>>> governance
>>> https://review.openstack.org/#/c/551980/
>>>
>>> Thanks in advance:)
>>>
>>> Regards,
>>> Kaz
>>>
>>>
>>> 2018-03-12 20:00 GMT+09:00 Radomir Dopieralski :
>>> > Yes, please do that. We can then discuss in the review about technical
>>> > details.
>>> >
>>> > On Mon, Mar 12, 2018 at 2:54 AM, Xinni Ge 
>>> > wrote:
>>> >>
>>> >> Hi, Akihiro
>>> >>
>>> >> Thanks for the quick reply.
>>> >>
>>> >> I agree with your opinion that BASE_XSTATIC_MODULES should not be
>>> >> modified.
>>> >> It is much better to enhance horizon plugin settings,
>>> >>  and I think maybe there could be one option like ADD_XSTATIC_MODULES.
>>> >> This option adds the plugin's xstatic files in STATICFILES_DIRS.
>>> >> I am considering to add a bug report to describe it at first, and give
>>> >> a
>>> >> patch later maybe.
>>> >> Is that ok with the Horizon team?
>>> >>
>>> >> Best Regards.
>>> >> Xinni
>>> >>
>>> >> On Fri, Mar 9, 2018 at 11:47 PM, Akihiro Motoki 
>>> >> wrote:
>>> >>>
>>> >>> Hi Xinni,
>>> >>>
>>> >>> 2018-03-09 12:05 GMT+09:00 Xinni Ge :
>>> >>> > Hello Horizon Team,
>>> >>> >
>>> >>> > I would like to hear about your opinions about how to add new
>>> >>> > xstatic
>>> >>> > modules to horizon settings.
>>> >>> >
>>> >>> > As for Heat-dashboard project embedded 3rd-party files issue,
>>> >>> > thanks
>>> >>> > for
>>> >>> > your advices in Dublin PTG, we are now removing them and
>>> >>> > referencing as
>>> >>> > new
>>> >>> > xstatic-* libs.
>>> >>>
>>> >>> Thanks for moving this forward.
>>> >>>
>>> >>> > So we installed the new xstatic files (not uploaded as openstack
>>> >>> > official
>>> >>> > repos yet) in our development environment now, but hesitate to
>>> >>> > decide
>>> >>> > how to
>>> >>> > add the new installed xstatic lib path to STATICFILES_DIRS in
>>> >>> > openstack_dashboard.settings so that the static files could be
>>> >>> > automatically
>>> >>> > collected by *collectstatic* process.
>>> >>> >
>>> >>> > Currently Horizon defines BASE_XSTATIC_MODULES in
>>> >>> > openstack_dashboard/utils/settings.py and the relevant static fils
>>> >>> > are
>>> >>> > added
>>> >>> > to STATICFILES_DIRS before it updates any Horizon plugin dashboard.
>>> >>> > We may want new plugin setting keywords ( something similar to
>>> >>> > ADD_JS_FILES)
>>> >>> > to update horizon XSTATIC_MODULES (or directly update
>>> >>> > STATICFILES_DIRS).
>>> >>>
>>> >>> IMHO it is better to allow horizon plugins to add xstatic modules
>>> >>> through horizon plugin settings. I don't think it is a good idea to
>>> >>> add a new entry in BASE_XSTATIC_MODULES based on horizon plugin
>>> >>> usages. It makes difficult to track why and where a xstatic module in
>>> >>> BASE_XSTATIC_MODULES is used.
>>> >>> Multiple horizon plugins can add a same entry, so horizon code to
>>> >>> handle plugin settings should merge multiple entries to a single one
>>> >>> hopefully.
>>> >>> My vote is to enhance the horizon plugin settings.
>>> >>>
>>> >>> Akihiro
>>> >>>
>>> >>> >
>>> >>> > Looking forward to hearing any suggestions from you guys, and
>>> >>> > Best Regards,
>>> >>> >
>>> >>> > Xinni Ge
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > 

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Doug Hellmann]

Excerpts from Jeremy Stanley's message of 2018-03-19 20:17:37 +:
> On 2018-03-19 16:09:14 -0400 (-0400), Doug Hellmann wrote:
> [...]
> > We want them all to use the openstackdocstheme so you could look
> > into creating a "subclass" of that one with the extra content in
> > the header, then ensure all of the specs repos use it.  We would
> > have to land a small patch to trigger a rebuild, but the patch
> > switching them from oslosphinx to openstackdocstheme would serve
> > for that and a small change to the readme or another file would do it
> > for any that are already using the theme.
> 
> Seems like a reasonable incentive for some needed cleanup.

And if I wasn't clear, we would want to put that subclass in the
openstackdocstheme repo so we can easily keep the styles up to date
over time.

Doug

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack-sigs] [all][api] POST /api-sig/news

[Michael McCune]

On Fri, Mar 16, 2018 at 4:55 AM, Chris Dent  wrote:

> 
>
>> So summarize and clarify, we are talking about SDK being able to build
>> their interface to Openstack APIs in an automated way but statically from
>> API Schema generated by every project. Such API Schema is already built in
>> memory during API reference documentation generation and could be saved in
>> JSON format (for instance) (see [5]).
>>
>
> What do you see as the current roadblocks preventing this work from
> continuing to make progress?
>
>
>
Gilles, i'm very curious about how we can help as well.

i am keenly interested in the api-schema work that is happening and i am
coming up to speed with the work that Graham has done, and which previously
existed, on os-api-ref. although i don't have a *ton* of spare free time, i
would like to help as much as i can.

thanks for bringing this up again,

peace o/
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [ironic] Moving Ironic meeting time

[Julia Kreger]

Greetings everyone!

In an effort to have our meeting be a little friendlier to
contributors in Japan and India, we agreed today [0] to move our
meeting time up two hours to 1500 UTC.

The appropriate change [1] has been submitted to the irc-meetings repository.

Please let me know if you have any questions or concerns.

Thanks!

-Julia

[0]: 
http://eavesdrop.openstack.org/meetings/ironic/2018/ironic.2018-03-19-17.00.log.html#l-274
[1]: https://review.openstack.org/#/c/554361/

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [all] Job failures on stable/pike and stable/ocata

[Sean McGinnis]

I've seen this pop up in various channels now, so I figure I better get more
visibility on what is going on to avoid wasted troubleshooting.

We have a couple of issues causing failures with stable/pike and stable/ocata.
Actually, it also affects stable/queens as well due to grenade jobs needing to
run stable/pike first.

The first is an issue with setuptools since the 39.0.0 release. There were some
deprecations for the type of Version objects returned from setuptools that have
now been removed to new objects that no longer allow iterating. This impacted
oslo.utilsin versionutils.is_compatible, causing that method to raise the
exception:

TypeError: 'Version' object does not support indexing

This has been already addressed in master, so there are two backports for that
fix to the stable branches.

The second issue is with a new release of Pip. Basically, this change
deprecated and removed support for importing pip and calling internal methods
in 9.0.2. This manifests itself by neutron agent failing to load with the
following in the q-agt log file:

KeyError: 'pip._vendor.urllib3.contrib'

This actually bubbles up from the ryu package. Luckily, they had refactored
some things such that they are still importing pip, but we are not calling the
parts of the ryu code where this is still an issue.

To make things even more fun, these changes are in two different repos, and
neither can merge without the other fix.

I think we have a full working plan in place. The oslo.util patches would fail
just the legacy-tempest-dsvm-neutron-src job, so that has been marked as
non-voting for now. Next, the oslo.util fixes need to merge and a new stable
release done for them. Then, requirements updates to both stable branches can
pass that raise the upper-constraints for ryu to 4.18 which includes the
changes we need.

Once all that is done, we can merge the last patch that reverts the change
making legacy-tempest-dsvm-neutron-src voting again.

The set up patches (other than the upcoming release requests) can be found
under the pip/5081 topic:

https://review.openstack.org/#/q/topic:pip/5081+(status:open+OR+status:merged)

As far as I can tell, once all that is done, the stable branches should be
unblocked and we should be back in business. If anything else crops up, I'll
post updates here.

Thanks,
Sean


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] New image backend: StorPool

[melanie witt]

On Fri, 16 Mar 2018 19:24:01 +0200, Peter Penchev wrote:

On Fri, Mar 16, 2018 at 09:23:11AM -0700, melanie witt wrote:

On Fri, 16 Mar 2018 17:33:30 +0200, Peter Penchev wrote:

Would there be any major opposition to adding a StorPool shared
storage image backend, so that our customers are not limited to
volume-backed instances?  Right now, creating a StorPool volume and
snapshot from a Glance image and then booting instances from that
snapshot works great, but in some cases, including some provisioning
and accounting systems on top of OpenStack, it would be preferable to
go the Nova way and let the hypervisor think that it has a local(ish)
image to work with, even though it's on shared storage anyway.


Can you be more specific about what is limiting you when you use
volume-backed instances?


It's not a problem for our current customers, but we had an OpenStack
PoC last year for a customer who was using some proprietary
provisioning+accounting system on top of OpenStack (sorry, I really
can't remember the name).  That particular system simply couldn't be
bothered to create a volume-backed instance, so we "helped" by doing
an insane hack: writing an almost-pass-through Compute API that would
intercept the boot request and DTRT behind the scenes (send a modified
request to the real Compute API), and then also writing
an almost-pass-through Identity API that would intercept the requests to
get the Compute API's endpoint and slip our API's address there.
The customer ended up not using OpenStack for completely unrelated
reasons, but there was certainly at least one instance of this.


We've been kicking around the idea of beefing up
support of boot-from-volume in nova such that "automatic boot-from-volume
for instance create" works well enough that we could consider
boot-from-volume the first-class way to support the vast variety of cinder
storage backends and let cinder handle the details instead of trying to
re-implement support of various storage backends in nova on a selective
basis. I'd like to better understand what is lacking for you when you use
boot-from-volume to leverage StorPool and determine whether it's something
we could address in nova.


I'll see if I can remember anything more (ISTR also another case of
something that couldn't boot a volume-backed instance, but I really
cannot remember even what it was).  The problem was certainly not with
OpenStack proper, but with other systems built on top of it.


Thanks for the insight, Peter. On both points, it looks like we could 
speculate that providing a good UX in nova for automatic 
boot-from-volume might have addressed the issues in other systems being 
unable to leverage it (boot-from-volume).


As it stands, we haven't had anyone interested enough in the idea of a 
generic cinder imagebackend in nova to come forward and work on it. As 
an alternative, we could enhance our support of boot-from-volume enough 
to make it easy/automatic to use if an environment needs to be able to 
take advantage of various cinder backends for instances.


If we can gather support and people willing to work on either of those 
options, we could start getting serious about a plan and make some 
progress toward it.


Best,
-melanie

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [nova][ironic] Rocky PTG summary - nova/ironic

[melanie witt]

Hello everyone,

Here's the summary etherpad [0] for the nova/ironic session from the PTG 
in the Croke Park Hotel breakfast area, also included as a plain text 
export on this email. Please feel freed to edit or reply to this thread 
to add/correct anything I've missed.


Cheers,
-melanie

[0] https://etherpad.openstack.org/p/nova-ptg-rocky-ironic-summary

*Nova/Ironic: Rocky PTG Summary

https://etherpad.openstack.org/p/nova-ptg-rocky L245

*Key topics

  * Disk partitioning, want to be able to pass a hardware config for 
the hypervisor

  * Virt driver interaction issues
* nova-compute crashing on startup
* maintenance-state of Ironic nodes
  * Ironic API version negotiation
* Currently, ironicclient does not have the ability to send a 
specific microversion per request and the Ironic driver needs to be able 
to behave differently depending on Ironic version

  * Ironic + Traits update
* Where we are and what's coming next
* Flavor decomposition status (ability to specify desired traits of 
the allowed traits for a given flavor)


*Agreements and decisions
*
  * On disk partitioning and passing a hardware config, we could use an 
artifact repository such as Glare to store configs and then on the Nova 
side, we could enhance the existing disk_config parameter for server 
create to also support a profile ((AUTO/MANUAL/PROFILE). Profile 
templates would be operator-defined like flavors

* jroll to write a spec on this
  * For the issue of nova-compute crashing on startup, we could add a 
try-except around the call site at startup and ignore a "NotReadyYet" or 
similar exception from the Ironic driver
  * For the issue of maintenance-state Ironic nodes, the Ironic virt 
driver shall set reserved=1 for the custom resource class inventory 
record instead of returning no inventory records
  * On Ironic API version negotiation, the ironicclient already has 
some version negotiation built-in, so there are some options. 1) update 
Ironic driver to handle return/error codes from ironicclient 
version-negotiated calls, 2) add per-call microversion support to 
ironicclient and use it in the Ironic driver, 3) convert all Ironic 
driver calls to use raw REST
* Option 1) would be the most expedient, but it's up to the Ironic 
team how they will want to proceed. Option 3 is the desired ideal 
solution but will take a rewrite of the related Ironic driver unit tests 
as they currently all mock ironicclient

* TheJulia will follow up on this
  * On Ironic + Traits, the ability to specify traits for a given 
flavor is available starting in Queens
* 
https://specs.openstack.org/openstack/nova-specs/specs/queens/implemented/ironic-driver-traits.html
* 
https://specs.openstack.org/openstack/nova-specs/specs/queens/implemented/request-traits-in-nova.html
* Ironic CI work is in progress: 
https://review.openstack.org/#/c/545370
* Resource classes allows us to drop IronicHostManager and exact 
filters and the deprecation landed on 20171205, so we can remove them now


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Jeremy Stanley]

On 2018-03-19 16:09:14 -0400 (-0400), Doug Hellmann wrote:
[...]
> We want them all to use the openstackdocstheme so you could look
> into creating a "subclass" of that one with the extra content in
> the header, then ensure all of the specs repos use it.  We would
> have to land a small patch to trigger a rebuild, but the patch
> switching them from oslosphinx to openstackdocstheme would serve
> for that and a small change to the readme or another file would do it
> for any that are already using the theme.

Seems like a reasonable incentive for some needed cleanup.
-- 
Jeremy Stanley


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Doug Hellmann]

Excerpts from Jim Rollenhagen's message of 2018-03-19 19:06:38 +:
> On Mon, Mar 19, 2018 at 3:46 PM, Jeremy Stanley  wrote:
> 
> > On 2018-03-19 14:57:58 + (+), Jim Rollenhagen wrote:
> > [...]
> > > What do folks think about a banner at the top of the specs website
> > > (or each individual spec) that points this out? I'm happy to do
> > > the work if we agree it's a good thing to do.
> > [...]
> >
> > Sounds good in principle, but the execution may take a bit of work.
> > Specs sites are independently generated Sphinx documents stored in
> > different repositories managed by different teams, and don't
> > necessarily share a common theme or configuration.
> 
> 
> Huh, I had totally thought there was a theme for the specs site that
> most/all projects use. I may try to accomplish this anyway, but will likely
> be more work that I thought. I'll poke around at options (small sphinx
> plugin, etc).

We want them all to use the openstackdocstheme so you could look
into creating a "subclass" of that one with the extra content in
the header, then ensure all of the specs repos use it.  We would
have to land a small patch to trigger a rebuild, but the patch
switching them from oslosphinx to openstackdocstheme would serve
for that and a small change to the readme or another file would do it
for any that are already using the theme.

Doug

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Jay Bryant]

Agree this  is a good idea.

Let me know what we can do to help.

Jay

On Mon, Mar 19, 2018, 9:58 AM Jim Rollenhagen 
wrote:

> Ironic (and surely other projects) have had to point out many times that
> specs are a point in time design discussion, and not completed
> documentation. It's obviously too much work to go back and update specs
> constantly.
>
> What do folks think about a banner at the top of the specs website (or
> each individual spec) that points this out? I'm happy to do the work if we
> agree it's a good thing to do. My suggested wording:
>
> "NOTE: specifications are a point-in-time design reference, not up-to-date
> feature documentation."
>
> // jim
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Jeremy Stanley]

On 2018-03-19 19:06:38 + (+), Jim Rollenhagen wrote:
[...]
> Huh, I had totally thought there was a theme for the specs site
> that most/all projects use. I may try to accomplish this anyway,
> but will likely be more work that I thought. I'll poke around at
> options (small sphinx plugin, etc).
[...]

A lot of them may share the same theming, so you can probably get a
significant coverage by going that route and work up to more
complete coverage as you can convince others to switch to it. Also
they all (or at least almost all?) share the same publication job so
that's a possible alternative means of injection as well.
-- 
Jeremy Stanley


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Jim Rollenhagen]

On Mon, Mar 19, 2018 at 3:46 PM, Jeremy Stanley  wrote:

> On 2018-03-19 14:57:58 + (+), Jim Rollenhagen wrote:
> [...]
> > What do folks think about a banner at the top of the specs website
> > (or each individual spec) that points this out? I'm happy to do
> > the work if we agree it's a good thing to do.
> [...]
>
> Sounds good in principle, but the execution may take a bit of work.
> Specs sites are independently generated Sphinx documents stored in
> different repositories managed by different teams, and don't
> necessarily share a common theme or configuration.


Huh, I had totally thought there was a theme for the specs site that
most/all projects use. I may try to accomplish this anyway, but will likely
be more work that I thought. I'll poke around at options (small sphinx
plugin, etc).


> It might be
> possible to hack around this with some sort of content injection in
> Apache but that also seems like a bit of a kluge.


Totally agree. :) Thanks Jeremy!

// jim
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [ironic] this week's priorities and subteam reports

[Yeleswarapu, Ramamani]

Hi,

We are glad to present this week's priorities and subteam report for Ironic. As 
usual, this is pulled directly from the Ironic whiteboard[0] and formatted.

This Week's Priorities (as of the weekly ironic meeting)


Weekly priorities
-
- Critical Sushy bug fix https://review.openstack.org/#/c/552817/
- Deploy Steps
- https://review.openstack.org/#/c/549493/
- Remaining Rescue patches
- https://review.openstack.org/#/c/546919/ - Fix a bug for unrescuiing with 
whole disk image
- better fix: https://review.openstack.org/#/c/499050/  - Fix ``agent`` 
deploy interface to call ``boot.prepare_instance`` Updated 19-Mar-2018.
- https://review.openstack.org/#/c/538119/ - Rescue mode standalone tests
- https://review.openstack.org/#/c/528699/ - Tempest tests with nova (This 
can land after nova work is done. But, it should be ready to get the nova patch 
reviewed.)
- Nova virt lying to Nova regarding resources fix
- high bug for ironic
- Placement has issues after upgrade if ironic is unreachable for too long 
Current WIP: https://review.openstack.org/#/c/545479/
- https://bugs.launchpad.net/nova/+bug/1750450
- https://review.openstack.org/#/c/545479/
- Management interface boot_mode change
- https://review.openstack.org/#/c/526773/

Vendor priorities
-
cisco-ucs:
Patches in works for SDK update, but not posted yet, currently rebuilding 
third party CI infra after a disaster...
idrac:
RFE and first several patches for adding UEFI support will be posted by 
Tuesday, 1/9
ilo:
https://review.openstack.org/#/c/530838/ - OOB Raid spec for iLO5
irmc:
None

oneview:
None at this time - No subteam at present.

Subproject priorities
-
bifrost:

ironic-inspector (or its client):

networking-baremetal:

networking-generic-switch:

sushy and the redfish driver:


Bugs (dtantsur, vdrok, TheJulia)

- Stats (diff between  12 Mar 2018 and 19 Mar 2018)
- Ironic: 225 bugs (+14) + 250 wishlist items (+2). 15 new (+10), 152 in 
progress, 1 critical, 36 high (+3) and 26 incomplete (+2)
- Inspector: 15 bugs (+1) + 26 wishlist items. 1 new (+1), 14 in progress, 0 
critical, 3 high and 4 incomplete
- Nova bugs with Ironic tag: 14 (-1). 1 new, 0 critical, 0 high
- critical:
- sushy: https://bugs.launchpad.net/sushy/+bug/1754514 (basic auth broken 
when SessionService is not present)
- note: the increase in bug count is probably because now the dashboard tracks 
virtualbmc and networking-baremetal
- the dashboard was abruptly deleted and needs a new home :(
- use it locally with `tox -erun` if you need to
- HIGH bugs with patches to review:
- Clean steps are not tested in gate 
https://bugs.launchpad.net/ironic/+bug/1523640: Add manual clean step ironic 
standalone test https://review.openstack.org/#/c/429770/15
- Needs to be reproposed to the ironic tempest plugin repository.
- prepare_instance() is not called for whole disk images with 'agent' deploy 
interface https://bugs.launchpad.net/ironic/+bug/1713916:
- Fix ``agent`` deploy interface to call ``boot.prepare_instance`` 
https://review.openstack.org/#/c/499050/
- (TheJulia) Currently WF-1, as revision is required for deprecation.

Priorities
==

Deploy Steps (rloo, mgoddard)
-
- status as of 19 March 2018:
- spec for deployment steps framework: 
https://review.openstack.org/#/c/549493/
- more reviews welcome; needs update

BIOS config framework(zshi, yolanda, moddard, hshiina)
--
- status as of 19 March 2018:
- Spec has merged: https://review.openstack.org/#/c/496481/
- 
https://review.openstack.org/#/q/topic:bug/1712032+(status:open+OR+status:merged)

Conductor Location Awareness (jroll, dtantsur)
--
- no update, will write spec soonish

Reference architecture guide (dtantsur, jroll)
--
- status as of 19 Feb 2018:
- Dublin PTG consensus was to start with small architectural building 
blocks.
- basic architecture explanation: https://review.openstack.org/554284
- (mostly moves stuff from the user guide)
- list of cases from the Denver PTG
- Admin-only provisioner
- small and/or rare: TODO
- non-HA acceptable, noop/flat network acceptable
- large and/or frequent: TODO
- HA required, neutron network or noop (static) network
- Bare metal cloud for end users
- smaller single-site: TODO
- non-HA, ironic conductors on controllers and noop/flat 
network acceptable
- larger single-site: TODO
- HA, split out ironic conductors, neutron networking, virtual 
media > iPXE > PXE/TFTP
- split out TFTP servers 

[openstack-dev] [tacker] tacker meeting on Mar. 20th 2018 is cancelled

[龚永生]

hi
Because I am on a trip, the Tacker project meeting on Mar. 20th  is cancelled. 
If you guys need to talk, please go to #tacker channel or send me an email.


please go ahead  according to our PTG meeting.
Regards,


yong sheng gong
99cloud__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [tripleo] Tripleo CI Community meeting tomorrow

[Arx Cruz]

Hello

We are going to have a TripleO CI Community meeting tomorrow 03/20/2018 at
3 pm UTC time.
The meeting is going to happen on BlueJeans [1] and also on IRC on #tripleo
 channel.

After that, we will hold Office Hours starting at 4PM UTC in case someone
from community have any questions related to CI.

Hope to see you there.

1 - https://bluejeans.com/7071866728



Kind regards,
Arx Cruz
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Jeremy Stanley]

On 2018-03-19 14:57:58 + (+), Jim Rollenhagen wrote:
[...]
> What do folks think about a banner at the top of the specs website
> (or each individual spec) that points this out? I'm happy to do
> the work if we agree it's a good thing to do.
[...]

Sounds good in principle, but the execution may take a bit of work.
Specs sites are independently generated Sphinx documents stored in
different repositories managed by different teams, and don't
necessarily share a common theme or configuration. It might be
possible to hack around this with some sort of content injection in
Apache but that also seems like a bit of a kluge.
-- 
Jeremy Stanley


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Petr Kovar]

On Mon, 19 Mar 2018 14:57:58 +
Jim Rollenhagen  wrote:

> Ironic (and surely other projects) have had to point out many times that
> specs are a point in time design discussion, and not completed
> documentation. It's obviously too much work to go back and update specs
> constantly.
> 
> What do folks think about a banner at the top of the specs website (or each
> individual spec) that points this out? I'm happy to do the work if we agree
> it's a good thing to do. My suggested wording:
> 
> "NOTE: specifications are a point-in-time design reference, not up-to-date
> feature documentation."

Might be a good idea to also include a pointer to
https://docs.openstack.org/.

Thanks,
pk

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Julia Kreger]

I'm all for the idea, although that may be because I've been been one
of the people in the past attempting to assist people who have found
specs, and who are are confused or frustrated. I believe it is because
some people latch on to the highly technical design documents when
they can't find $complex thing in $complex documentation easily.

-Julia

On Mon, Mar 19, 2018 at 7:57 AM, Jim Rollenhagen  
wrote:
> Ironic (and surely other projects) have had to point out many times that
> specs are a point in time design discussion, and not completed
> documentation. It's obviously too much work to go back and update specs
> constantly.
>
> What do folks think about a banner at the top of the specs website (or each
> individual spec) that points this out? I'm happy to do the work if we agree
> it's a good thing to do. My suggested wording:
>
> "NOTE: specifications are a point-in-time design reference, not up-to-date
> feature documentation."
>
> // jim
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>


On Mon, Mar 19, 2018 at 7:57 AM, Jim Rollenhagen  
wrote:
> Ironic (and surely other projects) have had to point out many times that
> specs are a point in time design discussion, and not completed
> documentation. It's obviously too much work to go back and update specs
> constantly.
>
> What do folks think about a banner at the top of the specs website (or each
> individual spec) that points this out? I'm happy to do the work if we agree
> it's a good thing to do. My suggested wording:
>
> "NOTE: specifications are a point-in-time design reference, not up-to-date
> feature documentation."
>
> // jim
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Sean McGinnis]

On Mon, Mar 19, 2018 at 02:57:58PM +, Jim Rollenhagen wrote:
> Ironic (and surely other projects) have had to point out many times that
> specs are a point in time design discussion, and not completed
> documentation. It's obviously too much work to go back and update specs
> constantly.
> 
> What do folks think about a banner at the top of the specs website (or each
> individual spec) that points this out? I'm happy to do the work if we agree
> it's a good thing to do. My suggested wording:
> 
> "NOTE: specifications are a point-in-time design reference, not up-to-date
> feature documentation."
> 
> // jim

I like that idea. There have been several times where this has caused
confusion. If there was some sort of notification on the page, that may make it
more likely that random web search readers will understand that they are not
reading "official" documentation.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Qos]Unable to apply qos policy with dscp marking rule to a port

[Isaku Yamahata]

Please step up to drive

https://review.openstack.org/#/c/519513/

At the moment no one is working on the patch.

Thanks,


On Fri, Mar 16, 2018 at 07:25:58PM +,
A Vamsikrishna  wrote:

> Hi Manjeet / Isaku,
> 
> I am unable to apply qos policy with dscp marking rule to a port.
> 
> 
> 1.Create a Qos Policy
> 2.Create a dscp marking rule on to create qos policy
> 3.Apply above created policy to a port
> 
> openstack network qos rule set --dscp-mark 22 dscp-marking 
> 115e4f70-8034-41768fe9-2c47f8878a7d
> 
> HttpException: Conflict (HTTP 409) (Request-ID: 
> req-da7d8998-9d8c-4aea-a10b-326cc21b608e), Rule dscp_marking is not supported 
> by port 115e4f70-8034-41768fe9-2c47f8878a7d
> 
> stack@pike-ctrl:~/devstack$
> 
> Seeing above error during the qos policy application on a port.
> 
> Any suggestions on this ?
> 
> I see below review has been abandoned which is "Allow networking-odl to 
> support DSCP Marking rule for qos driver":
> 
> https://review.openstack.org/#/c/460470/
> 
> Is dscp marking supported in PIKE ? Can you please confirm ?
> 
> I have raised below bug to track this issue:
> 
> https://bugs.launchpad.net/networking-odl/+bug/1756132
> 
> 
> 
> Thanks,
> Vamsi

-- 
Isaku Yamahata 

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] Adding "not docs" banner to specs website?

[Amy Marrich]

I think it's a good idea especially as some times a spec is never completed
or not in the same release.

Thanks,

Amy(spotz)

On Mon, Mar 19, 2018 at 9:57 AM, Jim Rollenhagen 
wrote:

> Ironic (and surely other projects) have had to point out many times that
> specs are a point in time design discussion, and not completed
> documentation. It's obviously too much work to go back and update specs
> constantly.
>
> What do folks think about a banner at the top of the specs website (or
> each individual spec) that points this out? I'm happy to do the work if we
> agree it's a good thing to do. My suggested wording:
>
> "NOTE: specifications are a point-in-time design reference, not up-to-date
> feature documentation."
>
> // jim
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] Adding "not docs" banner to specs website?

[Jim Rollenhagen]

Ironic (and surely other projects) have had to point out many times that
specs are a point in time design discussion, and not completed
documentation. It's obviously too much work to go back and update specs
constantly.

What do folks think about a banner at the top of the specs website (or each
individual spec) that points this out? I'm happy to do the work if we agree
it's a good thing to do. My suggested wording:

"NOTE: specifications are a point-in-time design reference, not up-to-date
feature documentation."

// jim
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Boden Russell]

> On 3/19/18 7:15 AM, Andreas Jaeger wrote:
> 
> pip install -U breaks it, please double check that this does the right
> thing:
> 
> https://review.openstack.org/554222

I'm not yet convinced the pip -U is the only factor here.
When I run with 554222 in my local env I still get a back-leveled
neutron, but maybe I'm doing something wrong.

I'm testing with: https://review.openstack.org/#/c/554245/

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [kolla] kolla-ansible 6.0.0.0rc2 (queens)

[no-reply]

Hello everyone,

A new release candidate for kolla-ansible for the end of the Queens
cycle is available!  You can find the source code tarball at:

https://tarballs.openstack.org/kolla-ansible/

Unless release-critical issues are found that warrant a release
candidate respin, this candidate will be formally released as the
final Queens release. You are therefore strongly
encouraged to test and validate this tarball!

Alternatively, you can directly test the stable/queens release
branch at:

http://git.openstack.org/cgit/openstack/kolla-ansible/log/?h=stable/queens

Release notes for kolla-ansible can be found at:

http://docs.openstack.org/releasenotes/kolla-ansible/




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Prevent ARP spoofing

[Vadim Ponomarev]

If I understood correctly, you talk about rules which are generated by
security_group extension as default from the fixed_ips +
allowed_address_pairs list. In our openstack installation we disabled the
security_group and the allowed_address_pairs extensions to simplify the
configuration the HA clusters.

Currently we configure the neutron as follows:
1. prevent_arp_spoofing = False
2. disable security_group extension
3. disable allowed_address_pairs extension

Actually, if port_security will be like a "central regulator" which
controll all mechanisms, it's perfectly in our case. But, we will lose
flexibility, because we can't changed default value for this option. And,
even if we disable the port_security extension in the neutron, the prevent
ARP-spoofing mechanism will work as default [1].

It's very important question, how do we may disable globally the prevent
ARP spoofing in the Pike release? To create all networks without specifying
an option port_security_enabled=False.

Changes that were proposed by Tatiana, just let save current flexability.

[1]
https://github.com/openstack/neutron/blob/stable/pike/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L907

2018-03-19 16:24 GMT+03:00 Kevin Benton :

> Disabling ARP spoofing protection alone will not let the standby instance
> source traffic using the active instance's IP. IP filtering rules
> independent of ARP enforcement rules ensure the source IP is in the
> fixed_ips or allowed_address_pairs.
>
> Are you already using allowed address pairs to add the shared IP to both?
>
> On Mon, Mar 19, 2018, 22:13 Vadim Ponomarev  wrote:
>
>> Yes, there's really a need for mechanisms of high availability like
>> corosync, vrrp etc. Another simple example: we have two servers with the
>> active/standby HA configuration  (for example keepalived + haproxy) and we
>> have third-party monitoring system for these servers. The monitoring system
>> gets some load metrics and when one of the servers is unavailable, the
>> monitoring system scales architecture (adds new server to cluster) in this
>> way saving the HA architecture. In your case, this monitoring system must
>> do the following steps: create new instance, add new instance's MAC address
>> to allowed_address_pairs and only after that reconfigure all other nodes.
>> Otherwise cluster will not work. The solution to the problem is simple -
>> disable the prevent ARP spoofing mechnism.
>>
>> Ok, we may used port_security options for this network with the HA
>> cluster. For this case we must reconfigure our monitoring systems, create
>> allowed_address_pairs for all current servers and (it's hardest) train our
>> users how that done.
>>
>> Currently, we don't use the prevent ARP spoofing option
>> (prevent_arp_spoofing = False) and honestly I don't understand why this
>> option is enabled as default in private networks. Each such network belongs
>> to one user, who controls all instances. Who would decide to perform a MITM
>> attack in his own network?
>>
>> 2018-03-19 12:53 GMT+03:00 Kevin Benton :
>>
>>> Do you need to spoof arbitrary addresses? If not (i.e. a set you know
>>> ahead of time), you can put entries in the allowed_address_pairs field of
>>> the port that will allow you to send traffic using other MAC/IPs.
>>>
>>> On Mar 19, 2018 8:42 PM, "Vadim Ponomarev" 
>>> wrote:
>>>
>>> Hi,
>>>
>>> I support, that is a problem. It's unclear, how after removing the
>>> option prevent_arp_spoofing, I can manage the prevent ARP spoofing
>>> mechanism. Example: I use security groups but I don't want to use ARP
>>> spoofing protection. How do I can disable the protection?
>>>
>>> 2018-03-14 10:26 GMT+03:00 Tatiana Kholkina :
>>>
 Sure, there is an ability to enable ARP spoofing for the port/network,
 but it is impossible to make it enabled by default for all ports.
 It looks a bit complicated to me and I think it would be better to have
 an ability to set default port security via config file.

 Best regards,
 Tatiana

 2018-03-13 15:10 GMT+03:00 Claudiu Belu :

> Hi,
>
> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
> enabled for a port / network, you can simply disable the security groups 
> on
> that neutron network / port.
>
> Best regards,
>
> Claudiu Belu
>
> --
> *From:* Татьяна Холкина [holk...@selectel.ru]
> *Sent:* Tuesday, March 13, 2018 12:54 PM
> *To:* openstack-dev@lists.openstack.org
> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
>
> Hi,
> I'm using an ocata release of OpenStack where the option
> prevent_arp_spoofing can be managed via conf. But later in pike it was
> removed and it was decided to prevent spoofing by default.
> There are cases where security 

Re: [openstack-dev] [ALL][PTLs] Community Goals for Rocky: Toggle the debug option at runtime

[Jim Rollenhagen]

On Sat, Mar 17, 2018 at 9:49 PM, Doug Hellmann 
wrote:

> Both of those are good ideas.
>

Agree. I like the socket idea a bit more as I can imagine some operators
don't want config file changes automatically applied. Do we want to choose
one to standardize on or allow each project (or operators, via config) the
choice?

I believe adding those things to oslo.service would make them available to
> all applications.
>

Not necessarily - this discussion started when the Keystone team was
discussing how to implement this, given that keystone doesn't use
oslo.service. That said, it should be easy to implement in services that
don't want this dependency, so +1.

// jim
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Andreas Jaeger]

On 2018-03-19 14:24, Gary Kotton wrote:
> The change will need to be in all of the decomposed projects - 
> http://codesearch.openstack.org/?q=install_cmd%20-U=nope==
> Good catch!

Will you do those, please? (once confirmed that this is the right change),

Andreas

> 
> On 3/19/18, 3:18 PM, "Gary Kotton"  wrote:
> 
> Thanks!! Will check if it now
> 
> On 3/19/18, 3:15 PM, "Andreas Jaeger"  wrote:
> 
> On 2018-03-19 14:01, Gary Kotton wrote:
> > The issue is that since the change below -
> > https://review.openstack.org/553045 - we are not picking up the 
> latest
> > neutron master code.
> 
> I see neutron installed:
> 
> 
> http://logs.openstack.org/45/553045/1/gate/openstack-tox-pep8/5347981/job-output.txt.gz#_2018-03-15_13_58_12_552258
> 
> But later it's downgraded - like it's done for the other requirements
> you have. So, this uncovered a problem in your install.
> 
> pip install -U breaks it, please double check that this does the right
> thing:
> 
> https://review.openstack.org/554222
> 
> Andreas
> 
> >  
> > 
> > *From: *Thomas Morin 
> > *Organization: *Orange S.A.
> > *Reply-To: *OpenStack List 
> > *Date: *Monday, March 19, 2018 at 1:46 PM
> > *To: *OpenStack List 
> > *Subject: *Re: [openstack-dev] [requirements][neutron] Depending on 
> pypi
> > versions
> > 
> >  
> > 
> > Hi Gary,
> > 
> >  
> > 
> > See
> > 
> > 
> http://lists.openstack.org/pipermail/openstack-dev/2018-March/128311.html
> > 
> >  
> > 
> >> Note that thanks to the tox-siblings feature, we really continue to
> > 
> >> install neutron and horizon from git - and not use the versions in
> > 
> >> the global-requirements constraints file,
> > 
> >  
> > 
> > I think it is worth adding a comment in (test-)requirements.txt 
> that the
> > OpenStack CI is overriding the version and uses git.
> > 
> >  
> > 
> > -Thomas
> > 
> >  
> > 
> >  
> > 
> > Gary Kotton, 2018-03-19 11:25:
> > 
> > Hi,
> > 
> > The change
> > 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_requirements_commit_35653e8c5044bff1059f50a82b6065176eea=DwIGaQ=uilaK90D4TOVoH58JNXRgQ=PMrZQUSXojEgJQPh7cZrz1Lvja0OwAstg0U82FalZrw=438_Ni4AJ-nteg3SAstWzssFEcYN8k5BoSslcDtkSEU=nkowIZ6GVGMJAfMtR4XliFZhODdtly2gsBTr8k9wFFY=
> > has created some issues with decomposed neutron plugins. Let me 
> try
> > and give an example to explain.
> > 
> > Say for example a patch landed in neutron master that exposed
> > feature X. Now if a decomposed plugin wants to consume this it 
> will
> > fail as the decomposed plugin will pull in the latest tag.
> > 
> > Does this mean for each new feature that we wish to consume we 
> will
> > need to update neutron tags?
> > 
> > Please advise.
> > 
> > Thanks
> > 
> > Gary
> > 
> > 
> __
> > 
> > OpenStack Development Mailing List (not for usage questions)
> > 
> > Unsubscribe: openstack-dev-requ...@lists.openstack.org
> > 
> ?subject:unsubscribe
> > 
> > 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > 
> > 
> > 
> > 
> __
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: 
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > 
> 
> 
> -- 
>  Andreas Jaeger aj@{suse.com,opensuse.org} Twitter: jaegerandi
>   SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
>GF: Felix Imendörffer, Jane Smithard, Graham Norton,
>HRB 21284 (AG Nürnberg)
> GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 
> A126
> 
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> 

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Gary Kotton]

The change will need to be in all of the decomposed projects - 
http://codesearch.openstack.org/?q=install_cmd%20-U=nope==
Good catch!

On 3/19/18, 3:18 PM, "Gary Kotton"  wrote:

Thanks!! Will check if it now

On 3/19/18, 3:15 PM, "Andreas Jaeger"  wrote:

On 2018-03-19 14:01, Gary Kotton wrote:
> The issue is that since the change below -
> https://review.openstack.org/553045 - we are not picking up the latest
> neutron master code.

I see neutron installed:


http://logs.openstack.org/45/553045/1/gate/openstack-tox-pep8/5347981/job-output.txt.gz#_2018-03-15_13_58_12_552258

But later it's downgraded - like it's done for the other requirements
you have. So, this uncovered a problem in your install.

pip install -U breaks it, please double check that this does the right
thing:

https://review.openstack.org/554222

Andreas

>  
> 
> *From: *Thomas Morin 
> *Organization: *Orange S.A.
> *Reply-To: *OpenStack List 
> *Date: *Monday, March 19, 2018 at 1:46 PM
> *To: *OpenStack List 
> *Subject: *Re: [openstack-dev] [requirements][neutron] Depending on 
pypi
> versions
> 
>  
> 
> Hi Gary,
> 
>  
> 
> See
> 
> 
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128311.html
> 
>  
> 
>> Note that thanks to the tox-siblings feature, we really continue to
> 
>> install neutron and horizon from git - and not use the versions in
> 
>> the global-requirements constraints file,
> 
>  
> 
> I think it is worth adding a comment in (test-)requirements.txt that 
the
> OpenStack CI is overriding the version and uses git.
> 
>  
> 
> -Thomas
> 
>  
> 
>  
> 
> Gary Kotton, 2018-03-19 11:25:
> 
> Hi,
> 
> The change
> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_requirements_commit_35653e8c5044bff1059f50a82b6065176eea=DwIGaQ=uilaK90D4TOVoH58JNXRgQ=PMrZQUSXojEgJQPh7cZrz1Lvja0OwAstg0U82FalZrw=438_Ni4AJ-nteg3SAstWzssFEcYN8k5BoSslcDtkSEU=nkowIZ6GVGMJAfMtR4XliFZhODdtly2gsBTr8k9wFFY=
> has created some issues with decomposed neutron plugins. Let me 
try
> and give an example to explain.
> 
> Say for example a patch landed in neutron master that exposed
> feature X. Now if a decomposed plugin wants to consume this it 
will
> fail as the decomposed plugin will pull in the latest tag.
> 
> Does this mean for each new feature that we wish to consume we 
will
> need to update neutron tags?
> 
> Please advise.
> 
> Thanks
> 
> Gary
> 
> 
__
> 
> OpenStack Development Mailing List (not for usage questions)
> 
> Unsubscribe: openstack-dev-requ...@lists.openstack.org
> 
?subject:unsubscribe
> 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> 
__
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 


-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter: jaegerandi
  SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Felix Imendörffer, Jane Smithard, Graham Norton,
   HRB 21284 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Re: [openstack-dev] [neutron] Prevent ARP spoofing

[Kevin Benton]

Disabling ARP spoofing protection alone will not let the standby instance
source traffic using the active instance's IP. IP filtering rules
independent of ARP enforcement rules ensure the source IP is in the
fixed_ips or allowed_address_pairs.

Are you already using allowed address pairs to add the shared IP to both?

On Mon, Mar 19, 2018, 22:13 Vadim Ponomarev  wrote:

> Yes, there's really a need for mechanisms of high availability like
> corosync, vrrp etc. Another simple example: we have two servers with the
> active/standby HA configuration  (for example keepalived + haproxy) and we
> have third-party monitoring system for these servers. The monitoring system
> gets some load metrics and when one of the servers is unavailable, the
> monitoring system scales architecture (adds new server to cluster) in this
> way saving the HA architecture. In your case, this monitoring system must
> do the following steps: create new instance, add new instance's MAC address
> to allowed_address_pairs and only after that reconfigure all other nodes.
> Otherwise cluster will not work. The solution to the problem is simple -
> disable the prevent ARP spoofing mechnism.
>
> Ok, we may used port_security options for this network with the HA
> cluster. For this case we must reconfigure our monitoring systems, create
> allowed_address_pairs for all current servers and (it's hardest) train our
> users how that done.
>
> Currently, we don't use the prevent ARP spoofing option
> (prevent_arp_spoofing = False) and honestly I don't understand why this
> option is enabled as default in private networks. Each such network belongs
> to one user, who controls all instances. Who would decide to perform a MITM
> attack in his own network?
>
> 2018-03-19 12:53 GMT+03:00 Kevin Benton :
>
>> Do you need to spoof arbitrary addresses? If not (i.e. a set you know
>> ahead of time), you can put entries in the allowed_address_pairs field of
>> the port that will allow you to send traffic using other MAC/IPs.
>>
>> On Mar 19, 2018 8:42 PM, "Vadim Ponomarev"  wrote:
>>
>> Hi,
>>
>> I support, that is a problem. It's unclear, how after removing the option
>> prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism.
>> Example: I use security groups but I don't want to use ARP spoofing
>> protection. How do I can disable the protection?
>>
>> 2018-03-14 10:26 GMT+03:00 Tatiana Kholkina :
>>
>>> Sure, there is an ability to enable ARP spoofing for the port/network,
>>> but it is impossible to make it enabled by default for all ports.
>>> It looks a bit complicated to me and I think it would be better to have
>>> an ability to set default port security via config file.
>>>
>>> Best regards,
>>> Tatiana
>>>
>>> 2018-03-13 15:10 GMT+03:00 Claudiu Belu :
>>>
 Hi,

 Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
 enabled for a port / network, you can simply disable the security groups on
 that neutron network / port.

 Best regards,

 Claudiu Belu

 --
 *From:* Татьяна Холкина [holk...@selectel.ru]
 *Sent:* Tuesday, March 13, 2018 12:54 PM
 *To:* openstack-dev@lists.openstack.org
 *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing

 Hi,
 I'm using an ocata release of OpenStack where the option
 prevent_arp_spoofing can be managed via conf. But later in pike it was
 removed and it was decided to prevent spoofing by default.
 There are cases where security features should be disabled. As I can
 see now we can use a port_security option for these cases. But this option
 should be set for a particular port or network on create. The default value
 is set to True [1] and itt is impossible to change it. I'd like to
 suggest to get default value for port_security [2] from config option.
 It would be nice to know your opinion.

 [1]
 https://github.com/openstack/neutron-lib/blob/stable/queens/neutron_lib/api/definitions/port_security.py#L21
 [2]
 https://github.com/openstack/neutron/blob/stable/queens/neutron/objects/extensions/port_security.py#L24

 Best regards,
 Tatiana


 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe:
 openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


>>>
>>>
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Best regards,
>> Vadim Ponomarev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Gary Kotton]

Thanks!! Will check if it now

On 3/19/18, 3:15 PM, "Andreas Jaeger"  wrote:

On 2018-03-19 14:01, Gary Kotton wrote:
> The issue is that since the change below -
> https://review.openstack.org/553045 - we are not picking up the latest
> neutron master code.

I see neutron installed:


http://logs.openstack.org/45/553045/1/gate/openstack-tox-pep8/5347981/job-output.txt.gz#_2018-03-15_13_58_12_552258

But later it's downgraded - like it's done for the other requirements
you have. So, this uncovered a problem in your install.

pip install -U breaks it, please double check that this does the right
thing:

https://review.openstack.org/554222

Andreas

>  
> 
> *From: *Thomas Morin 
> *Organization: *Orange S.A.
> *Reply-To: *OpenStack List 
> *Date: *Monday, March 19, 2018 at 1:46 PM
> *To: *OpenStack List 
> *Subject: *Re: [openstack-dev] [requirements][neutron] Depending on pypi
> versions
> 
>  
> 
> Hi Gary,
> 
>  
> 
> See
> 
> http://lists.openstack.org/pipermail/openstack-dev/2018-March/128311.html
> 
>  
> 
>> Note that thanks to the tox-siblings feature, we really continue to
> 
>> install neutron and horizon from git - and not use the versions in
> 
>> the global-requirements constraints file,
> 
>  
> 
> I think it is worth adding a comment in (test-)requirements.txt that the
> OpenStack CI is overriding the version and uses git.
> 
>  
> 
> -Thomas
> 
>  
> 
>  
> 
> Gary Kotton, 2018-03-19 11:25:
> 
> Hi,
> 
> The change
> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_requirements_commit_35653e8c5044bff1059f50a82b6065176eea=DwIGaQ=uilaK90D4TOVoH58JNXRgQ=PMrZQUSXojEgJQPh7cZrz1Lvja0OwAstg0U82FalZrw=438_Ni4AJ-nteg3SAstWzssFEcYN8k5BoSslcDtkSEU=nkowIZ6GVGMJAfMtR4XliFZhODdtly2gsBTr8k9wFFY=
> has created some issues with decomposed neutron plugins. Let me try
> and give an example to explain.
> 
> Say for example a patch landed in neutron master that exposed
> feature X. Now if a decomposed plugin wants to consume this it will
> fail as the decomposed plugin will pull in the latest tag.
> 
> Does this mean for each new feature that we wish to consume we will
> need to update neutron tags?
> 
> Please advise.
> 
> Thanks
> 
> Gary
> 
> 
__
> 
> OpenStack Development Mailing List (not for usage questions)
> 
> Unsubscribe: openstack-dev-requ...@lists.openstack.org
> ?subject:unsubscribe
> 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 


-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter: jaegerandi
  SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Felix Imendörffer, Jane Smithard, Graham Norton,
   HRB 21284 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Andreas Jaeger]

On 2018-03-19 14:01, Gary Kotton wrote:
> The issue is that since the change below -
> https://review.openstack.org/553045 - we are not picking up the latest
> neutron master code.

I see neutron installed:

http://logs.openstack.org/45/553045/1/gate/openstack-tox-pep8/5347981/job-output.txt.gz#_2018-03-15_13_58_12_552258

But later it's downgraded - like it's done for the other requirements
you have. So, this uncovered a problem in your install.

pip install -U breaks it, please double check that this does the right
thing:

https://review.openstack.org/554222

Andreas

>  
> 
> *From: *Thomas Morin 
> *Organization: *Orange S.A.
> *Reply-To: *OpenStack List 
> *Date: *Monday, March 19, 2018 at 1:46 PM
> *To: *OpenStack List 
> *Subject: *Re: [openstack-dev] [requirements][neutron] Depending on pypi
> versions
> 
>  
> 
> Hi Gary,
> 
>  
> 
> See
> 
> http://lists.openstack.org/pipermail/openstack-dev/2018-March/128311.html
> 
>  
> 
>> Note that thanks to the tox-siblings feature, we really continue to
> 
>> install neutron and horizon from git - and not use the versions in
> 
>> the global-requirements constraints file,
> 
>  
> 
> I think it is worth adding a comment in (test-)requirements.txt that the
> OpenStack CI is overriding the version and uses git.
> 
>  
> 
> -Thomas
> 
>  
> 
>  
> 
> Gary Kotton, 2018-03-19 11:25:
> 
> Hi,
> 
> The change
> 
> https://github.com/openstack/requirements/commit/35653e8c5044bff1059f50a82b6065176eea
> has created some issues with decomposed neutron plugins. Let me try
> and give an example to explain.
> 
> Say for example a patch landed in neutron master that exposed
> feature X. Now if a decomposed plugin wants to consume this it will
> fail as the decomposed plugin will pull in the latest tag.
> 
> Does this mean for each new feature that we wish to consume we will
> need to update neutron tags?
> 
> Please advise.
> 
> Thanks
> 
> Gary
> 
> __
> 
> OpenStack Development Mailing List (not for usage questions)
> 
> Unsubscribe: openstack-dev-requ...@lists.openstack.org
> ?subject:unsubscribe
> 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 


-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter: jaegerandi
  SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Felix Imendörffer, Jane Smithard, Graham Norton,
   HRB 21284 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Gary Kotton]

The issue is that since the change below - https://review.openstack.org/553045 
- we are not picking up the latest neutron master code.

From: Thomas Morin 
Organization: Orange S.A.
Reply-To: OpenStack List 
Date: Monday, March 19, 2018 at 1:46 PM
To: OpenStack List 
Subject: Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

Hi Gary,

See
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128311.html

> Note that thanks to the tox-siblings feature, we really continue to
> install neutron and horizon from git - and not use the versions in
> the global-requirements constraints file,

I think it is worth adding a comment in (test-)requirements.txt that the 
OpenStack CI is overriding the version and uses git.

-Thomas


Gary Kotton, 2018-03-19 11:25:
Hi,
The change 
https://github.com/openstack/requirements/commit/35653e8c5044bff1059f50a82b6065176eea
 has created some issues with decomposed neutron plugins. Let me try and give 
an example to explain.
Say for example a patch landed in neutron master that exposed feature X. Now if 
a decomposed plugin wants to consume this it will fail as the decomposed plugin 
will pull in the latest tag.
Does this mean for each new feature that we wish to consume we will need to 
update neutron tags?
Please advise.
Thanks
Gary
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Nova] [Cyborg] Tracking multiple functions

[Zhipeng Huang]

Hi Sundar,

I think the two points you raised is valid and please also reflect that in
the spec you are helping drafting :)

On Mon, Mar 19, 2018 at 12:34 AM, Nadathur, Sundar <
sundar.nadat...@intel.com> wrote:

> Sorry for the delayed response. I broadly agree with previous replies.
> For the concerns about the impact of Cyborg weigher on scheduling
> performance , there are some options (apart from filtering candidates as
> much as possible in Placement):
> * Handle hosts in bulk by extending BaseWeigher
>  and
> overriding weigh_objects
> (),
> instead of handling one host at a time.
> * If we have to handle one host at a time for whatever reason, since the
> weigher is maintained by Cyborg, it could directly query Cyborg DB rather
> than go through Cyborg REST API. This will be not unlike other weighers.
>
> Given these and other possible optimizations, it may be too soon to worry
> about the performance impact.
>
> I am working on a spec that will capture the flow discussed in the PTG. I
> will try to address these aspects as well.
>
> Thanks & Regards,
> Sundar
>
>
> On 3/8/2018 4:53 AM, Zhipeng Huang wrote:
>
> @jay I'm also against a weigher in nova/placement. This should be an
> optional step depends on vendor implementation, not a default one.
>
> @Alex I think we should explore the idea of preferred trait.
>
> @Mathew: Like Sean said, Cyborg wants to support both reprogrammable FPGA
> and pre-programed ones.
> Therefore it is correct that in your description, the programming
> operation should be a call from Nova to Cyborg, and cyborg will complete
> the operation while nova waits. The only problem is that the weigher step
> should be an optional one.
>
>
> On Wed, Mar 7, 2018 at 9:21 PM, Jay Pipes  wrote:
>
>> On 03/06/2018 09:36 PM, Alex Xu wrote:
>>
>>> 2018-03-07 10:21 GMT+08:00 Alex Xu > sou...@gmail.com>>:
>>>
>>>
>>>
>>> 2018-03-06 22:45 GMT+08:00 Mooney, Sean K >> >:
>>>
>>> __ __
>>>
>>> __ __
>>>
>>> *From:*Matthew Booth [mailto:mbo...@redhat.com
>>> ]
>>> *Sent:* Saturday, March 3, 2018 4:15 PM
>>> *To:* OpenStack Development Mailing List (not for usage
>>> questions) >> >
>>> *Subject:* Re: [openstack-dev] [Nova] [Cyborg] Tracking multiple
>>> functions
>>>
>>> __ __
>>>
>>> On 2 March 2018 at 14:31, Jay Pipes >> > wrote:
>>>
>>> On 03/02/2018 02:00 PM, Nadathur, Sundar wrote:
>>>
>>> Hello Nova team,
>>>
>>>   During the Cyborg discussion at Rocky PTG, we
>>> proposed a flow for FPGAs wherein the request spec asks
>>> for a device type as a resource class, and optionally a
>>> function (such as encryption) in the extra specs. This
>>> does not seem to work well for the usage model that I’ll
>>> describe below.
>>>
>>> An FPGA device may implement more than one function. For
>>> example, it may implement both compression and
>>> encryption. Say a cluster has 10 devices of device type
>>> X, and each of them is programmed to offer 2 instances
>>> of function A and 4 instances of function B. More
>>> specifically, the device may implement 6 PCI functions,
>>> with 2 of them tied to function A, and the other 4 tied
>>> to function B. So, we could have 6 separate instances
>>> accessing functions on the same device.
>>>
>>> __ __
>>>
>>> Does this imply that Cyborg can't reprogram the FPGA at all?
>>>
>>> */[Mooney, Sean K] cyborg is intended to support fixed function
>>> acclerators also so it will not always be able to program the
>>> accelerator. In this case where an fpga is preprogramed with a
>>> multi function bitstream that is statically provisioned cyborge
>>> will not be able to reprogram the slot if any of the fuctions
>>> from that slot are already allocated to an instance. In this
>>> case it will have to treat it like a fixed function device and
>>> simply allocate a unused  vf  of the corret type if available.
>>> /*
>>>
>>>
>>> 
>>>
>>>
>>> In the current flow, the device type X is modeled as a
>>> resource class, so Placement will count how many of them
>>> are in use. A flavor for ‘RC device-type-X + function A’
>>> will consume 

Re: [openstack-dev] [openstack][charms] Openstack + OVN

[Aakash Kt]

Hi James,

Thank you for the previous code review.
I have pushed another patch. Also, I do not know how to reply to your
review comments on gerrit, so I will reply to them here.

About the signed-off-message, I did not know that it wasn't a requirement
for OpenStack, I assumed it was. I have removed it from the updated patch.

Thank you,
Aakash


On Thu, Mar 15, 2018 at 11:34 AM, Aakash Kt  wrote:

> Hi James,
>
> Just a small reminder that I have pushed a patch for review, according to
> changes you suggested :-)
>
> Thanks,
> Aakash
>
> On Mon, Mar 12, 2018 at 2:38 PM, James Page  wrote:
>
>> Hi Aakash
>>
>> On Sun, 11 Mar 2018 at 19:01 Aakash Kt  wrote:
>>
>>> Hi,
>>>
>>> I had previously put in a mail about the development for openstack-ovn
>>> charm. Sorry it took me this long to get back, was involved in other
>>> projects.
>>>
>>> I have submitted a charm spec for the above charm.
>>> Here is the review link : https://review.openstack.org/#/c/551800/
>>>
>>> Please look in to it and we can further discuss how to proceed.
>>>
>>
>> I'll feedback directly on the review.
>>
>> Thanks!
>>
>> James
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Thomas Morin]

Hi Gary,
Seehttp://lists.openstack.org/pipermail/openstack-dev/2018-March/128311
.html
> Note that thanks to the tox-siblings feature, we really continue to>
install neutron and horizon from git - and not use the versions in> the
global-requirements constraints file,
Gary Kotton, 2018-03-19 11:25:
> Hi,
> The change https://github.com/openstack/requirements/commit/35653e8c5
> 044bff1059f50a82b6065176eea has created some issues with
> decomposed neutron plugins. Let me try and give an example to
> explain.
> Say for example a patch landed in neutron master that exposed feature
> X. Now if a decomposed plugin wants to consume this it will fail as
> the decomposed plugin will pull in the latest tag.
> Does this mean for each new feature that we wish to consume we will
> need to update neutron tags?
> Please advise.
> Thanks
> Gary
> _
> _
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubs
> cribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

I think it is worth adding a comment in (test-)requirements.txt that
the OpenStack CI is overriding the version and uses git.

-Thomas

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][neutron] Depending on pypi versions

[Andreas Jaeger]

On 2018-03-19 12:25, Gary Kotton wrote:
> Hi,
> 
> The change
> https://github.com/openstack/requirements/commit/35653e8c5044bff1059f50a82b6065176eea
> has created some issues with decomposed neutron plugins. Let me try and
> give an example to explain.
> 
> Say for example a patch landed in neutron master that exposed feature X.
> Now if a decomposed plugin wants to consume this it will fail as the
> decomposed plugin will pull in the latest tag.

It will pull in git master if your job lists openstack/neutron in
required-projects.

It will pull in the latest tag if it's not listed.

Most repos are already setup with required-projects set to this - but
please double check.

> Does this mean for each new feature that we wish to consume we will need
> to update neutron tags?

No,
Andreas
-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter: jaegerandi
  SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Felix Imendörffer, Jane Smithard, Graham Norton,
   HRB 21284 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [requirements][neutron] Depending on pypi versions

[Gary Kotton]

Hi,
The change 
https://github.com/openstack/requirements/commit/35653e8c5044bff1059f50a82b6065176eea
 has created some issues with decomposed neutron plugins. Let me try and give 
an example to explain.
Say for example a patch landed in neutron master that exposed feature X. Now if 
a decomposed plugin wants to consume this it will fail as the decomposed plugin 
will pull in the latest tag.
Does this mean for each new feature that we wish to consume we will need to 
update neutron tags?
Please advise.
Thanks
Gary
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Prevent ARP spoofing

[Vadim Ponomarev]

Yes, there's really a need for mechanisms of high availability like
corosync, vrrp etc. Another simple example: we have two servers with the
active/standby HA configuration  (for example keepalived + haproxy) and we
have third-party monitoring system for these servers. The monitoring system
gets some load metrics and when one of the servers is unavailable, the
monitoring system scales architecture (adds new server to cluster) in this
way saving the HA architecture. In your case, this monitoring system must
do the following steps: create new instance, add new instance's MAC address
to allowed_address_pairs and only after that reconfigure all other nodes.
Otherwise cluster will not work. The solution to the problem is simple -
disable the prevent ARP spoofing mechnism.

Ok, we may used port_security options for this network with the HA cluster.
For this case we must reconfigure our monitoring systems, create
allowed_address_pairs for all current servers and (it's hardest) train our
users how that done.

Currently, we don't use the prevent ARP spoofing option
(prevent_arp_spoofing = False) and honestly I don't understand why this
option is enabled as default in private networks. Each such network belongs
to one user, who controls all instances. Who would decide to perform a MITM
attack in his own network?

2018-03-19 12:53 GMT+03:00 Kevin Benton :

> Do you need to spoof arbitrary addresses? If not (i.e. a set you know
> ahead of time), you can put entries in the allowed_address_pairs field of
> the port that will allow you to send traffic using other MAC/IPs.
>
> On Mar 19, 2018 8:42 PM, "Vadim Ponomarev"  wrote:
>
> Hi,
>
> I support, that is a problem. It's unclear, how after removing the option
> prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism.
> Example: I use security groups but I don't want to use ARP spoofing
> protection. How do I can disable the protection?
>
> 2018-03-14 10:26 GMT+03:00 Tatiana Kholkina :
>
>> Sure, there is an ability to enable ARP spoofing for the port/network,
>> but it is impossible to make it enabled by default for all ports.
>> It looks a bit complicated to me and I think it would be better to have
>> an ability to set default port security via config file.
>>
>> Best regards,
>> Tatiana
>>
>> 2018-03-13 15:10 GMT+03:00 Claudiu Belu :
>>
>>> Hi,
>>>
>>> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
>>> enabled for a port / network, you can simply disable the security groups on
>>> that neutron network / port.
>>>
>>> Best regards,
>>>
>>> Claudiu Belu
>>>
>>> --
>>> *From:* Татьяна Холкина [holk...@selectel.ru]
>>> *Sent:* Tuesday, March 13, 2018 12:54 PM
>>> *To:* openstack-dev@lists.openstack.org
>>> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
>>>
>>> Hi,
>>> I'm using an ocata release of OpenStack where the option
>>> prevent_arp_spoofing can be managed via conf. But later in pike it was
>>> removed and it was decided to prevent spoofing by default.
>>> There are cases where security features should be disabled. As I can see
>>> now we can use a port_security option for these cases. But this option
>>> should be set for a particular port or network on create. The default value
>>> is set to True [1] and itt is impossible to change it. I'd like to
>>> suggest to get default value for port_security [2] from config option.
>>> It would be nice to know your opinion.
>>>
>>> [1] https://github.com/openstack/neutron-lib/blob/
>>> stable/queens/neutron_lib/api/definitions/port_security.py#L21
>>> [2] https://github.com/openstack/neutron/blob/stable/
>>> queens/neutron/objects/extensions/port_security.py#L24
>>>
>>> Best regards,
>>> Tatiana
>>>
>>> 
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>>> unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Best regards,
> Vadim Ponomarev
> Developer of network automation department at Selectel Ltd.
>
> 
> This message may contain confidential information that can't be
> distributed without the consent of the sender or the authorized person 
> Selectel
> Ltd.
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>

Re: [openstack-dev] [neutron] Prevent ARP spoofing

[Kevin Benton]

Do you need to spoof arbitrary addresses? If not (i.e. a set you know ahead
of time), you can put entries in the allowed_address_pairs field of the
port that will allow you to send traffic using other MAC/IPs.

On Mar 19, 2018 8:42 PM, "Vadim Ponomarev"  wrote:

Hi,

I support, that is a problem. It's unclear, how after removing the option
prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism.
Example: I use security groups but I don't want to use ARP spoofing
protection. How do I can disable the protection?

2018-03-14 10:26 GMT+03:00 Tatiana Kholkina :

> Sure, there is an ability to enable ARP spoofing for the port/network, but
> it is impossible to make it enabled by default for all ports.
> It looks a bit complicated to me and I think it would be better to have an
> ability to set default port security via config file.
>
> Best regards,
> Tatiana
>
> 2018-03-13 15:10 GMT+03:00 Claudiu Belu :
>
>> Hi,
>>
>> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
>> enabled for a port / network, you can simply disable the security groups on
>> that neutron network / port.
>>
>> Best regards,
>>
>> Claudiu Belu
>>
>> --
>> *From:* Татьяна Холкина [holk...@selectel.ru]
>> *Sent:* Tuesday, March 13, 2018 12:54 PM
>> *To:* openstack-dev@lists.openstack.org
>> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
>>
>> Hi,
>> I'm using an ocata release of OpenStack where the option
>> prevent_arp_spoofing can be managed via conf. But later in pike it was
>> removed and it was decided to prevent spoofing by default.
>> There are cases where security features should be disabled. As I can see
>> now we can use a port_security option for these cases. But this option
>> should be set for a particular port or network on create. The default value
>> is set to True [1] and itt is impossible to change it. I'd like to
>> suggest to get default value for port_security [2] from config option.
>> It would be nice to know your opinion.
>>
>> [1]
>> https://github.com/openstack/neutron-lib/blob/stable/queens/neutron_lib/api/definitions/port_security.py#L21
>> [2]
>> https://github.com/openstack/neutron/blob/stable/queens/neutron/objects/extensions/port_security.py#L24
>>
>> Best regards,
>> Tatiana
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Best regards,
Vadim Ponomarev
Developer of network automation department at Selectel Ltd.


This message may contain confidential information that can't be distributed
without the consent of the sender or the authorized person Selectel Ltd.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Prevent ARP spoofing

[Vadim Ponomarev]

Hi,

I support, that is a problem. It's unclear, how after removing the option
prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism.
Example: I use security groups but I don't want to use ARP spoofing
protection. How do I can disable the protection?

2018-03-14 10:26 GMT+03:00 Tatiana Kholkina :

> Sure, there is an ability to enable ARP spoofing for the port/network, but
> it is impossible to make it enabled by default for all ports.
> It looks a bit complicated to me and I think it would be better to have an
> ability to set default port security via config file.
>
> Best regards,
> Tatiana
>
> 2018-03-13 15:10 GMT+03:00 Claudiu Belu :
>
>> Hi,
>>
>> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
>> enabled for a port / network, you can simply disable the security groups on
>> that neutron network / port.
>>
>> Best regards,
>>
>> Claudiu Belu
>>
>> --
>> *From:* Татьяна Холкина [holk...@selectel.ru]
>> *Sent:* Tuesday, March 13, 2018 12:54 PM
>> *To:* openstack-dev@lists.openstack.org
>> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
>>
>> Hi,
>> I'm using an ocata release of OpenStack where the option
>> prevent_arp_spoofing can be managed via conf. But later in pike it was
>> removed and it was decided to prevent spoofing by default.
>> There are cases where security features should be disabled. As I can see
>> now we can use a port_security option for these cases. But this option
>> should be set for a particular port or network on create. The default value
>> is set to True [1] and itt is impossible to change it. I'd like to
>> suggest to get default value for port_security [2] from config option.
>> It would be nice to know your opinion.
>>
>> [1] https://github.com/openstack/neutron-lib/blob/stable/
>> queens/neutron_lib/api/definitions/port_security.py#L21
>> [2] https://github.com/openstack/neutron/blob/stable/queens/
>> neutron/objects/extensions/port_security.py#L24
>>
>> Best regards,
>> Tatiana
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Best regards,
Vadim Ponomarev
Developer of network automation department at Selectel Ltd.


This message may contain confidential information that can't be distributed
without the consent of the sender or the authorized person Selectel Ltd.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [neutron] Bug deputy report

[270162781]

Hi all,


I'm zhaobo, I was the bug deputy for the last week and I'm afraid that cannot 
attending the comming upstream meeting so I'm sending out this report:


Last week there are some high priority bugs for neutron . Also some bugs need 
to attention, I list them here:


High priority
---


[CI failure] https://bugs.launchpad.net/neutron/+bug/1756301
Tempset DVR HA miltimode tests fails as no FIP connectivity. I suspect that it 
may be a devstack bug.


https://bugs.launchpad.net/neutron/+bug/1755243 
In DVR HA scenarios, it will hit the AttributeError if depoly a LB on the 
network node, and Neutron depolys a DvrEdgeRouter on the network node for LB, 
when server call "router_update" to agent, agent side want to check whether the 
router is an ha router. Then hit the error as DvrEdgeRouter doesn't have a 
attribute named "ha_state". I found Brain and Swaminathan already work around 
with the bug reporter.


Medium priority
---
https://bugs.launchpad.net/neutron/+bug/1756406
Dvr mac address format may be invalid for non native openflow interface, 
Swamination has already work on it.




Need attention
--
https://bugs.launchpad.net/neutron/+bug/1754695
As the bug description, the vxlan port on br-tun may miss in L3 DVR+HA large 
scale env, the probability of failure seems high. I have no idea about this, so 
need help from L3 team experts, then setting the priority.


https://bugs.launchpad.net/neutron/+bug/1755810
plugins.ml2.plugin.Ml2Plugin#_bind_port_if_needed There is a concurrency issue 
here, it will lead to a missing RPC notification which in turn result in a port 
stuck in DOWN status following a live-migration. I think we can check the 
details in the Bug descrption, it is enough to explain what the problem is.


https://bugs.launchpad.net/neutron/+bug/1737917
In l2pop scenarios, linux bridge agent want to rpc to server with 
"update_port_down", server will call list_router_ids_on_host with l3plugin, 
then it raise the error, agent will get the remote rpc error.So the process may 
looks like NeutronServer try to find l3 agent on compute node and failed. This 
bug is reported for a long time, as the reporter said he still hit the same 
issue on Queen/master, so I think it is worth to raise here. 


https://bugs.launchpad.net/neutron/+bug/1755414
This sounds like a enhancement for routing function. So need to raise it and 
discuss with our L3 experts about whether we need the "metric".



https://bugs.launchpad.net/neutron/+bug/1756064
Trunk bridge residue if restart the nove-compute before remove the vm in 
ovs-dpdk. As armando said, it may be related DPDK process. Armando mark it as 
Incomplete now for need more description about the issue condition.


Thanks,
Best Regards,


ZhaoBo__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev