Re: [openstack-dev] [nova][neutron] Networks without subnets
it is another BP about NFV: https://review.openstack.org/#/c/97715 On Tue, Jul 22, 2014 at 9:37 AM, Isaku Yamahata wrote: > On Mon, Jul 21, 2014 at 02:52:04PM -0500, > Kyle Mestery wrote: > > > > Following up with post SAD status: > > > > > >> * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > > >> extension support > > > > > > Remains unapproved, no negative feedback on current revision. > > > > > >> * https://review.openstack.org/#/c/106222/ Add Port Security > > >> Implementation in ML2 Plugin > > > > > > Has a -2 to highlight the significant overlap with 99873 above. > > > > > > Although there were some discussions about these last week I am not > sure we reached consensus on whether either of these (or even both of them) > are the correct path forward - particularly to address the problem Brent > raised w.r.t. to creation of networks without subnets - I believe this > currently still works with nova-network? > > > > > > Regardless, I am wondering if either of the spec authors intend to > propose these for a spec freeze exception? > > > > > For the port security implementation in ML2, I've had one of the > > authors reach out to me. I'd like them to send an email to the > > openstack-dev ML though, so we can have the discussion here. > > As I commented at the gerrit, we, two authors of port security > (Shweta and me), have agreed that the blueprints/specs will be unified. > I'll send a mail for a spec freeze exception soon. > > thanks, > -- > Isaku Yamahata > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][neutron] Networks without subnets
On Mon, Jul 21, 2014 at 02:52:04PM -0500, Kyle Mestery wrote: > > Following up with post SAD status: > > > >> * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > >> extension support > > > > Remains unapproved, no negative feedback on current revision. > > > >> * https://review.openstack.org/#/c/106222/ Add Port Security > >> Implementation in ML2 Plugin > > > > Has a -2 to highlight the significant overlap with 99873 above. > > > > Although there were some discussions about these last week I am not sure we > > reached consensus on whether either of these (or even both of them) are the > > correct path forward - particularly to address the problem Brent raised > > w.r.t. to creation of networks without subnets - I believe this currently > > still works with nova-network? > > > > Regardless, I am wondering if either of the spec authors intend to propose > > these for a spec freeze exception? > > > For the port security implementation in ML2, I've had one of the > authors reach out to me. I'd like them to send an email to the > openstack-dev ML though, so we can have the discussion here. As I commented at the gerrit, we, two authors of port security (Shweta and me), have agreed that the blueprints/specs will be unified. I'll send a mail for a spec freeze exception soon. thanks, -- Isaku Yamahata ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][neutron] Networks without subnets
On Mon, Jul 21, 2014 at 9:45 AM, Steve Gordon wrote: > - Original Message - >> From: "Brent Eagles" >> To: openstack-dev@lists.openstack.org >> >> Hi, >> >> A bug titled "Creating quantum L2 networks (without subnets) doesn't >> work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was >> reported quite some time ago. Beyond the discussion in the bug report, >> there have been related bugs reported a few times. >> >> * https://bugs.launchpad.net/nova/+bug/1304409 >> * https://bugs.launchpad.net/nova/+bug/1252410 >> * https://bugs.launchpad.net/nova/+bug/1237711 >> * https://bugs.launchpad.net/nova/+bug/1311731 >> * https://bugs.launchpad.net/nova/+bug/1043827 >> >> BZs on this subject seem to have a hard time surviving. The get marked >> as incomplete or invalid, or in the related issues, the problem NOT >> related to the feature is addressed and the bug closed. We seem to dance >> around actually getting around to implementing this. The multiple >> reports show there *is* interest in this functionality but at the moment >> we are without an actual implementation. >> >> At the moment there are multiple related blueprints: > > Following up with post SAD status: > >> * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity >> extension support > > Remains unapproved, no negative feedback on current revision. > >> * https://review.openstack.org/#/c/106222/ Add Port Security >> Implementation in ML2 Plugin > > Has a -2 to highlight the significant overlap with 99873 above. > >> * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces > > Remains unapproved, no negative feedback on current revision. > > Although there were some discussions about these last week I am not sure we > reached consensus on whether either of these (or even both of them) are the > correct path forward - particularly to address the problem Brent raised > w.r.t. to creation of networks without subnets - I believe this currently > still works with nova-network? > > Regardless, I am wondering if either of the spec authors intend to propose > these for a spec freeze exception? > For the port security implementation in ML2, I've had one of the authors reach out to me. I'd like them to send an email to the openstack-dev ML though, so we can have the discussion here. For the "NFV unaddressed interfaces", I've not had anyone reach out to me yet. Thanks, Kyle > Thanks, > > Steve > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][neutron] Networks without subnets
- Original Message - > From: "Brent Eagles" > To: openstack-dev@lists.openstack.org > > Hi, > > A bug titled "Creating quantum L2 networks (without subnets) doesn't > work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was > reported quite some time ago. Beyond the discussion in the bug report, > there have been related bugs reported a few times. > > * https://bugs.launchpad.net/nova/+bug/1304409 > * https://bugs.launchpad.net/nova/+bug/1252410 > * https://bugs.launchpad.net/nova/+bug/1237711 > * https://bugs.launchpad.net/nova/+bug/1311731 > * https://bugs.launchpad.net/nova/+bug/1043827 > > BZs on this subject seem to have a hard time surviving. The get marked > as incomplete or invalid, or in the related issues, the problem NOT > related to the feature is addressed and the bug closed. We seem to dance > around actually getting around to implementing this. The multiple > reports show there *is* interest in this functionality but at the moment > we are without an actual implementation. > > At the moment there are multiple related blueprints: Following up with post SAD status: > * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > extension support Remains unapproved, no negative feedback on current revision. > * https://review.openstack.org/#/c/106222/ Add Port Security > Implementation in ML2 Plugin Has a -2 to highlight the significant overlap with 99873 above. > * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces Remains unapproved, no negative feedback on current revision. Although there were some discussions about these last week I am not sure we reached consensus on whether either of these (or even both of them) are the correct path forward - particularly to address the problem Brent raised w.r.t. to creation of networks without subnets - I believe this currently still works with nova-network? Regardless, I am wondering if either of the spec authors intend to propose these for a spec freeze exception? Thanks, Steve ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][neutron] Networks without subnets
IMHO, the non-subnet port can be created in the technique. This is quite useful especially when there is some special appliance, e.g., some firewall appliance without any IP necessarily. On Tue, Jul 15, 2014 at 1:18 AM, Ian Wells wrote: > Funnily enough, when I first reported this bug I was actually trying to > run Openstack in VMs on Openstack. This works better now (not well; just > better) in that there's L3 networking options, but the basic L2-VLAN > networking option has never worked (fascinating we can't eat our own > dogfood on this). > > Brent, to answer your point: networks with subnets don't work, and the > reason they don't work is ports with 0 addresses don't work. I've been > thinking about this a long time, and there's two things here: > > - we want ports without addresses (specifically: without antispoof; > actually, it makes reasonable sense to leave security groups on) to work > - when people set up a network with no subnet, 99.99% of the time they do > it it's an accident - and booting a machine on that network with no address > and no firewalling is almost certainly not a helpful thing to be doing. > > In summary, I think we need a way to make no-subnet cases work (and, for > what it's worth, the unaddressed interface blueprint in there changed tack, > it's more about firewalling now for almost exactly that reason), I think > it's reasonable to put one hurdle between the advanced user and their > intent to avoid shooting the common user in the foot. I would suggest that > we want port-no-address cases to work when someone has explicitly disabled > the antispoof on the port - and not otherwise. This works with > portsecurity right now. > > My beef with the portsecurity BP is that it targets OVS - this is no use > for NFV people, because OVS plugins don't work with VLAN tags) and it > assumes that security groups and antispoof are related when they aren't, > which is a fundamental issue of portsecurity and makes it annoying to use. > It's also annoying when you get portsecurity errors when it's not even > enabled, but I think we got past that point ;) > -- > Ian. > > > On 11 July 2014 15:36, Ben Nemec wrote: > >> FWIW, I believe TripleO will need this if we're going to be able to do >> https://blueprints.launchpad.net/tripleo/+spec/tripleo-on-openstack >> >> Being able to have instances without IPs assigned is basically required >> for that. >> >> -Ben >> >> On 07/11/2014 04:41 PM, Brent Eagles wrote: >> > Hi, >> > >> > A bug titled "Creating quantum L2 networks (without subnets) doesn't >> > work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was >> > reported quite some time ago. Beyond the discussion in the bug report, >> > there have been related bugs reported a few times. >> > >> > * https://bugs.launchpad.net/nova/+bug/1304409 >> > * https://bugs.launchpad.net/nova/+bug/1252410 >> > * https://bugs.launchpad.net/nova/+bug/1237711 >> > * https://bugs.launchpad.net/nova/+bug/1311731 >> > * https://bugs.launchpad.net/nova/+bug/1043827 >> > >> > BZs on this subject seem to have a hard time surviving. The get marked >> > as incomplete or invalid, or in the related issues, the problem NOT >> > related to the feature is addressed and the bug closed. We seem to dance >> > around actually getting around to implementing this. The multiple >> > reports show there *is* interest in this functionality but at the moment >> > we are without an actual implementation. >> > >> > At the moment there are multiple related blueprints: >> > >> > * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity >> > extension support >> > * https://review.openstack.org/#/c/106222/ Add Port Security >> > Implementation in ML2 Plugin >> > * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces >> > >> > The first two blueprints, besides appearing to be very similar, propose >> > implementing the "port security" extension currently employed by one of >> > the neutron plugins. It is related to this issue as it allows a port to >> > be configured indicating it does not want security groups to apply. This >> > is relevant because without an address, a security group cannot be >> > applied and this is treated as an error. Being able to specify >> > "skipping" the security group criteria gets us a port on the network >> > without an address, which is what happens when there is no subnet. >> > >> > The third approach is, on the face of it, related in that it proposes an >> > interface without an address. However, on review it seems that the >> > intent is not necessarily inline with the some of the BZs mentioned >> > above. Indeed there is text that seems to pretty clearly state that it >> > is not intended to cover the port-without-an-IP situation. As an aside, >> > the title in the commit message in the review could use revising. >> > >> > In order to implement something that finally implements the >> > functionality alluded to in the above BZs in Juno, we need to settle on >> > a
Re: [openstack-dev] [nova][neutron] Networks without subnets
Funnily enough, when I first reported this bug I was actually trying to run Openstack in VMs on Openstack. This works better now (not well; just better) in that there's L3 networking options, but the basic L2-VLAN networking option has never worked (fascinating we can't eat our own dogfood on this). Brent, to answer your point: networks with subnets don't work, and the reason they don't work is ports with 0 addresses don't work. I've been thinking about this a long time, and there's two things here: - we want ports without addresses (specifically: without antispoof; actually, it makes reasonable sense to leave security groups on) to work - when people set up a network with no subnet, 99.99% of the time they do it it's an accident - and booting a machine on that network with no address and no firewalling is almost certainly not a helpful thing to be doing. In summary, I think we need a way to make no-subnet cases work (and, for what it's worth, the unaddressed interface blueprint in there changed tack, it's more about firewalling now for almost exactly that reason), I think it's reasonable to put one hurdle between the advanced user and their intent to avoid shooting the common user in the foot. I would suggest that we want port-no-address cases to work when someone has explicitly disabled the antispoof on the port - and not otherwise. This works with portsecurity right now. My beef with the portsecurity BP is that it targets OVS - this is no use for NFV people, because OVS plugins don't work with VLAN tags) and it assumes that security groups and antispoof are related when they aren't, which is a fundamental issue of portsecurity and makes it annoying to use. It's also annoying when you get portsecurity errors when it's not even enabled, but I think we got past that point ;) -- Ian. On 11 July 2014 15:36, Ben Nemec wrote: > FWIW, I believe TripleO will need this if we're going to be able to do > https://blueprints.launchpad.net/tripleo/+spec/tripleo-on-openstack > > Being able to have instances without IPs assigned is basically required > for that. > > -Ben > > On 07/11/2014 04:41 PM, Brent Eagles wrote: > > Hi, > > > > A bug titled "Creating quantum L2 networks (without subnets) doesn't > > work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was > > reported quite some time ago. Beyond the discussion in the bug report, > > there have been related bugs reported a few times. > > > > * https://bugs.launchpad.net/nova/+bug/1304409 > > * https://bugs.launchpad.net/nova/+bug/1252410 > > * https://bugs.launchpad.net/nova/+bug/1237711 > > * https://bugs.launchpad.net/nova/+bug/1311731 > > * https://bugs.launchpad.net/nova/+bug/1043827 > > > > BZs on this subject seem to have a hard time surviving. The get marked > > as incomplete or invalid, or in the related issues, the problem NOT > > related to the feature is addressed and the bug closed. We seem to dance > > around actually getting around to implementing this. The multiple > > reports show there *is* interest in this functionality but at the moment > > we are without an actual implementation. > > > > At the moment there are multiple related blueprints: > > > > * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > > extension support > > * https://review.openstack.org/#/c/106222/ Add Port Security > > Implementation in ML2 Plugin > > * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces > > > > The first two blueprints, besides appearing to be very similar, propose > > implementing the "port security" extension currently employed by one of > > the neutron plugins. It is related to this issue as it allows a port to > > be configured indicating it does not want security groups to apply. This > > is relevant because without an address, a security group cannot be > > applied and this is treated as an error. Being able to specify > > "skipping" the security group criteria gets us a port on the network > > without an address, which is what happens when there is no subnet. > > > > The third approach is, on the face of it, related in that it proposes an > > interface without an address. However, on review it seems that the > > intent is not necessarily inline with the some of the BZs mentioned > > above. Indeed there is text that seems to pretty clearly state that it > > is not intended to cover the port-without-an-IP situation. As an aside, > > the title in the commit message in the review could use revising. > > > > In order to implement something that finally implements the > > functionality alluded to in the above BZs in Juno, we need to settle on > > a blueprint and direction. Barring the happy possiblity of a resolution > > beforehand, can this be made an agenda item in the next Nova and/or > > Neutron meetings? > > > > Cheers, > > > > Brent > > > > ___ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mail
Re: [openstack-dev] [nova][neutron] Networks without subnets
On Mon, Jul 14, 2014 at 4:14 PM, Isaku Yamahata wrote: > Hi. > > > 4) with no-port-security option, we should implement ovs-plug instead > > ovs-hybird-plug, to totally bypass qbr but not just changing iptable > rules. > > the performance of later is 50% lower for small size packet even if the > > iptable is empty, and 20% lower even if we disable iptable hook on linux > > bridge. > > Is this only for performance reason? > What do you think about disabling and then enabling port-security? > portsecurity API allows to dynamically change the setting after port > plugging. > > thanks, > > the idea way is that OVS can hook to iptable chain at a per-flow basis, but now we have to do some trade off. Requirement of no filter comes from NFV, VNF VMs should not need dynamically enable/disable filter, and they are IO performance critical apps. However, at API level we may need to distinguish these two cases: for VNF VM we need to totally bypass qbr with ''no-port-filter" setting and ovs-plug, while for some other certain VM we just need something like "default-empty-filter", still with ovs-hybrid-plug. > > On Mon, Jul 14, 2014 at 11:19:05AM +0800, > loy wolfe wrote: > > > port with flexible ip address setting is necessary. I collected several > use > > cases: > > > > 1) when creating a port, we need to indicate that, > > [A] binding to none of subnet(no ip address); > > [B] binding to all subnets; > > [C] binding to any subnet; > > [D] binding to explicitly list of subnets, and/or list of ip address > in > > each subnet. > > It seems that existing code implement [C] as the default case. > > > > 2) after created the port, we need to dynamically change it's address > > setting: > > [A] remove a single ip address > > [B] remove all ip address of a subnet > > [C] add ip address on specified subnet > > it's not the same as "allowed-addr-pair", but it really need to allocate > ip > > in the subnet. > > > > 3) we need to allow router add interface by network uuid, not only subnet > > uuid > > today L3 router add interface by subnet, but it's not the common use case > > that a L2 segment connect to different router interface with it's > different > > subnets. when a network has multiple subnets, we should allow the network > > but not the subnet to attach the router. Also, we should allow a network > > without any subnet (or a port without ip address) to attach to a router > > (some like a brouter), while adding/deleting interface address of > different > > subnets dynamically later. > > > > this feature should also be helpful for plug-gable external network BP. > > > > 4) with no-port-security option, we should implement ovs-plug instead > > ovs-hybird-plug, to totally bypass qbr but not just changing iptable > rules. > > the performance of later is 50% lower for small size packet even if the > > iptable is empty, and 20% lower even if we disable iptable hook on linux > > bridge. > > > > > > > > On Mon, Jul 14, 2014 at 9:56 AM, Kyle Mestery > > > wrote: > > > > > On Fri, Jul 11, 2014 at 4:41 PM, Brent Eagles > wrote: > > > > > >> Hi, > > >> > > >> A bug titled "Creating quantum L2 networks (without subnets) doesn't > > >> work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was > > >> reported quite some time ago. Beyond the discussion in the bug report, > > >> there have been related bugs reported a few times. > > >> > > >> * https://bugs.launchpad.net/nova/+bug/1304409 > > >> * https://bugs.launchpad.net/nova/+bug/1252410 > > >> * https://bugs.launchpad.net/nova/+bug/1237711 > > >> * https://bugs.launchpad.net/nova/+bug/1311731 > > >> * https://bugs.launchpad.net/nova/+bug/1043827 > > >> > > >> BZs on this subject seem to have a hard time surviving. The get marked > > >> as incomplete or invalid, or in the related issues, the problem NOT > > >> related to the feature is addressed and the bug closed. We seem to > dance > > >> around actually getting around to implementing this. The multiple > > >> reports show there *is* interest in this functionality but at the > moment > > >> we are without an actual implementation. > > >> > > >> At the moment there are multiple related blueprints: > > >> > > >> * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > > >> extension support > > >> * https://review.openstack.org/#/c/106222/ Add Port Security > > >> Implementation in ML2 Plugin > > >> * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces > > >> > > >> The first two blueprints, besides appearing to be very similar, > propose > > >> implementing the "port security" extension currently employed by one > of > > >> the neutron plugins. It is related to this issue as it allows a port > to > > >> be configured indicating it does not want security groups to apply. > This > > >> is relevant because without an address, a security group cannot be > > >> applied and this is treated as an error. Being able to specify > > >> "skipping" the security group criter
Re: [openstack-dev] [nova][neutron] Networks without subnets
Hi. > 4) with no-port-security option, we should implement ovs-plug instead > ovs-hybird-plug, to totally bypass qbr but not just changing iptable rules. > the performance of later is 50% lower for small size packet even if the > iptable is empty, and 20% lower even if we disable iptable hook on linux > bridge. Is this only for performance reason? What do you think about disabling and then enabling port-security? portsecurity API allows to dynamically change the setting after port plugging. thanks, On Mon, Jul 14, 2014 at 11:19:05AM +0800, loy wolfe wrote: > port with flexible ip address setting is necessary. I collected several use > cases: > > 1) when creating a port, we need to indicate that, > [A] binding to none of subnet(no ip address); > [B] binding to all subnets; > [C] binding to any subnet; > [D] binding to explicitly list of subnets, and/or list of ip address in > each subnet. > It seems that existing code implement [C] as the default case. > > 2) after created the port, we need to dynamically change it's address > setting: > [A] remove a single ip address > [B] remove all ip address of a subnet > [C] add ip address on specified subnet > it's not the same as "allowed-addr-pair", but it really need to allocate ip > in the subnet. > > 3) we need to allow router add interface by network uuid, not only subnet > uuid > today L3 router add interface by subnet, but it's not the common use case > that a L2 segment connect to different router interface with it's different > subnets. when a network has multiple subnets, we should allow the network > but not the subnet to attach the router. Also, we should allow a network > without any subnet (or a port without ip address) to attach to a router > (some like a brouter), while adding/deleting interface address of different > subnets dynamically later. > > this feature should also be helpful for plug-gable external network BP. > > 4) with no-port-security option, we should implement ovs-plug instead > ovs-hybird-plug, to totally bypass qbr but not just changing iptable rules. > the performance of later is 50% lower for small size packet even if the > iptable is empty, and 20% lower even if we disable iptable hook on linux > bridge. > > > > On Mon, Jul 14, 2014 at 9:56 AM, Kyle Mestery > wrote: > > > On Fri, Jul 11, 2014 at 4:41 PM, Brent Eagles wrote: > > > >> Hi, > >> > >> A bug titled "Creating quantum L2 networks (without subnets) doesn't > >> work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was > >> reported quite some time ago. Beyond the discussion in the bug report, > >> there have been related bugs reported a few times. > >> > >> * https://bugs.launchpad.net/nova/+bug/1304409 > >> * https://bugs.launchpad.net/nova/+bug/1252410 > >> * https://bugs.launchpad.net/nova/+bug/1237711 > >> * https://bugs.launchpad.net/nova/+bug/1311731 > >> * https://bugs.launchpad.net/nova/+bug/1043827 > >> > >> BZs on this subject seem to have a hard time surviving. The get marked > >> as incomplete or invalid, or in the related issues, the problem NOT > >> related to the feature is addressed and the bug closed. We seem to dance > >> around actually getting around to implementing this. The multiple > >> reports show there *is* interest in this functionality but at the moment > >> we are without an actual implementation. > >> > >> At the moment there are multiple related blueprints: > >> > >> * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > >> extension support > >> * https://review.openstack.org/#/c/106222/ Add Port Security > >> Implementation in ML2 Plugin > >> * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces > >> > >> The first two blueprints, besides appearing to be very similar, propose > >> implementing the "port security" extension currently employed by one of > >> the neutron plugins. It is related to this issue as it allows a port to > >> be configured indicating it does not want security groups to apply. This > >> is relevant because without an address, a security group cannot be > >> applied and this is treated as an error. Being able to specify > >> "skipping" the security group criteria gets us a port on the network > >> without an address, which is what happens when there is no subnet. > >> > >> The third approach is, on the face of it, related in that it proposes an > >> interface without an address. However, on review it seems that the > >> intent is not necessarily inline with the some of the BZs mentioned > >> above. Indeed there is text that seems to pretty clearly state that it > >> is not intended to cover the port-without-an-IP situation. As an aside, > >> the title in the commit message in the review could use revising. > >> > >> In order to implement something that finally implements the > >> functionality alluded to in the above BZs in Juno, we need to settle on > >> a blueprint and direction. Barring the happy possiblity of a resolution > >> befo
Re: [openstack-dev] [nova][neutron] Networks without subnets
port with flexible ip address setting is necessary. I collected several use cases: 1) when creating a port, we need to indicate that, [A] binding to none of subnet(no ip address); [B] binding to all subnets; [C] binding to any subnet; [D] binding to explicitly list of subnets, and/or list of ip address in each subnet. It seems that existing code implement [C] as the default case. 2) after created the port, we need to dynamically change it's address setting: [A] remove a single ip address [B] remove all ip address of a subnet [C] add ip address on specified subnet it's not the same as "allowed-addr-pair", but it really need to allocate ip in the subnet. 3) we need to allow router add interface by network uuid, not only subnet uuid today L3 router add interface by subnet, but it's not the common use case that a L2 segment connect to different router interface with it's different subnets. when a network has multiple subnets, we should allow the network but not the subnet to attach the router. Also, we should allow a network without any subnet (or a port without ip address) to attach to a router (some like a brouter), while adding/deleting interface address of different subnets dynamically later. this feature should also be helpful for plug-gable external network BP. 4) with no-port-security option, we should implement ovs-plug instead ovs-hybird-plug, to totally bypass qbr but not just changing iptable rules. the performance of later is 50% lower for small size packet even if the iptable is empty, and 20% lower even if we disable iptable hook on linux bridge. On Mon, Jul 14, 2014 at 9:56 AM, Kyle Mestery wrote: > On Fri, Jul 11, 2014 at 4:41 PM, Brent Eagles wrote: > >> Hi, >> >> A bug titled "Creating quantum L2 networks (without subnets) doesn't >> work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was >> reported quite some time ago. Beyond the discussion in the bug report, >> there have been related bugs reported a few times. >> >> * https://bugs.launchpad.net/nova/+bug/1304409 >> * https://bugs.launchpad.net/nova/+bug/1252410 >> * https://bugs.launchpad.net/nova/+bug/1237711 >> * https://bugs.launchpad.net/nova/+bug/1311731 >> * https://bugs.launchpad.net/nova/+bug/1043827 >> >> BZs on this subject seem to have a hard time surviving. The get marked >> as incomplete or invalid, or in the related issues, the problem NOT >> related to the feature is addressed and the bug closed. We seem to dance >> around actually getting around to implementing this. The multiple >> reports show there *is* interest in this functionality but at the moment >> we are without an actual implementation. >> >> At the moment there are multiple related blueprints: >> >> * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity >> extension support >> * https://review.openstack.org/#/c/106222/ Add Port Security >> Implementation in ML2 Plugin >> * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces >> >> The first two blueprints, besides appearing to be very similar, propose >> implementing the "port security" extension currently employed by one of >> the neutron plugins. It is related to this issue as it allows a port to >> be configured indicating it does not want security groups to apply. This >> is relevant because without an address, a security group cannot be >> applied and this is treated as an error. Being able to specify >> "skipping" the security group criteria gets us a port on the network >> without an address, which is what happens when there is no subnet. >> >> The third approach is, on the face of it, related in that it proposes an >> interface without an address. However, on review it seems that the >> intent is not necessarily inline with the some of the BZs mentioned >> above. Indeed there is text that seems to pretty clearly state that it >> is not intended to cover the port-without-an-IP situation. As an aside, >> the title in the commit message in the review could use revising. >> >> In order to implement something that finally implements the >> functionality alluded to in the above BZs in Juno, we need to settle on >> a blueprint and direction. Barring the happy possiblity of a resolution >> beforehand, can this be made an agenda item in the next Nova and/or >> Neutron meetings? >> >> I think this is worth discussing. I've added this to the "Team Discussion > Topics" section of the Neutron meeting [1] on 7-14-2014. I hope you can > attend Brent! > > Thanks, > Kyle > > [1] > https://wiki.openstack.org/wiki/Network/Meetings#Team_Discussion_Topics > > >> Cheers, >> >> Brent >> >> ___ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/opens
Re: [openstack-dev] [nova][neutron] Networks without subnets
On Fri, Jul 11, 2014 at 4:41 PM, Brent Eagles wrote: > Hi, > > A bug titled "Creating quantum L2 networks (without subnets) doesn't > work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was > reported quite some time ago. Beyond the discussion in the bug report, > there have been related bugs reported a few times. > > * https://bugs.launchpad.net/nova/+bug/1304409 > * https://bugs.launchpad.net/nova/+bug/1252410 > * https://bugs.launchpad.net/nova/+bug/1237711 > * https://bugs.launchpad.net/nova/+bug/1311731 > * https://bugs.launchpad.net/nova/+bug/1043827 > > BZs on this subject seem to have a hard time surviving. The get marked > as incomplete or invalid, or in the related issues, the problem NOT > related to the feature is addressed and the bug closed. We seem to dance > around actually getting around to implementing this. The multiple > reports show there *is* interest in this functionality but at the moment > we are without an actual implementation. > > At the moment there are multiple related blueprints: > > * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > extension support > * https://review.openstack.org/#/c/106222/ Add Port Security > Implementation in ML2 Plugin > * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces > > The first two blueprints, besides appearing to be very similar, propose > implementing the "port security" extension currently employed by one of > the neutron plugins. It is related to this issue as it allows a port to > be configured indicating it does not want security groups to apply. This > is relevant because without an address, a security group cannot be > applied and this is treated as an error. Being able to specify > "skipping" the security group criteria gets us a port on the network > without an address, which is what happens when there is no subnet. > > The third approach is, on the face of it, related in that it proposes an > interface without an address. However, on review it seems that the > intent is not necessarily inline with the some of the BZs mentioned > above. Indeed there is text that seems to pretty clearly state that it > is not intended to cover the port-without-an-IP situation. As an aside, > the title in the commit message in the review could use revising. > > In order to implement something that finally implements the > functionality alluded to in the above BZs in Juno, we need to settle on > a blueprint and direction. Barring the happy possiblity of a resolution > beforehand, can this be made an agenda item in the next Nova and/or > Neutron meetings? > > I think this is worth discussing. I've added this to the "Team Discussion Topics" section of the Neutron meeting [1] on 7-14-2014. I hope you can attend Brent! Thanks, Kyle [1] https://wiki.openstack.org/wiki/Network/Meetings#Team_Discussion_Topics > Cheers, > > Brent > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][neutron] Networks without subnets
FWIW, I believe TripleO will need this if we're going to be able to do https://blueprints.launchpad.net/tripleo/+spec/tripleo-on-openstack Being able to have instances without IPs assigned is basically required for that. -Ben On 07/11/2014 04:41 PM, Brent Eagles wrote: > Hi, > > A bug titled "Creating quantum L2 networks (without subnets) doesn't > work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was > reported quite some time ago. Beyond the discussion in the bug report, > there have been related bugs reported a few times. > > * https://bugs.launchpad.net/nova/+bug/1304409 > * https://bugs.launchpad.net/nova/+bug/1252410 > * https://bugs.launchpad.net/nova/+bug/1237711 > * https://bugs.launchpad.net/nova/+bug/1311731 > * https://bugs.launchpad.net/nova/+bug/1043827 > > BZs on this subject seem to have a hard time surviving. The get marked > as incomplete or invalid, or in the related issues, the problem NOT > related to the feature is addressed and the bug closed. We seem to dance > around actually getting around to implementing this. The multiple > reports show there *is* interest in this functionality but at the moment > we are without an actual implementation. > > At the moment there are multiple related blueprints: > > * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity > extension support > * https://review.openstack.org/#/c/106222/ Add Port Security > Implementation in ML2 Plugin > * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces > > The first two blueprints, besides appearing to be very similar, propose > implementing the "port security" extension currently employed by one of > the neutron plugins. It is related to this issue as it allows a port to > be configured indicating it does not want security groups to apply. This > is relevant because without an address, a security group cannot be > applied and this is treated as an error. Being able to specify > "skipping" the security group criteria gets us a port on the network > without an address, which is what happens when there is no subnet. > > The third approach is, on the face of it, related in that it proposes an > interface without an address. However, on review it seems that the > intent is not necessarily inline with the some of the BZs mentioned > above. Indeed there is text that seems to pretty clearly state that it > is not intended to cover the port-without-an-IP situation. As an aside, > the title in the commit message in the review could use revising. > > In order to implement something that finally implements the > functionality alluded to in the above BZs in Juno, we need to settle on > a blueprint and direction. Barring the happy possiblity of a resolution > beforehand, can this be made an agenda item in the next Nova and/or > Neutron meetings? > > Cheers, > > Brent > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [nova][neutron] Networks without subnets
Hi, A bug titled "Creating quantum L2 networks (without subnets) doesn't work as expected" (https://bugs.launchpad.net/nova/+bug/1039665) was reported quite some time ago. Beyond the discussion in the bug report, there have been related bugs reported a few times. * https://bugs.launchpad.net/nova/+bug/1304409 * https://bugs.launchpad.net/nova/+bug/1252410 * https://bugs.launchpad.net/nova/+bug/1237711 * https://bugs.launchpad.net/nova/+bug/1311731 * https://bugs.launchpad.net/nova/+bug/1043827 BZs on this subject seem to have a hard time surviving. The get marked as incomplete or invalid, or in the related issues, the problem NOT related to the feature is addressed and the bug closed. We seem to dance around actually getting around to implementing this. The multiple reports show there *is* interest in this functionality but at the moment we are without an actual implementation. At the moment there are multiple related blueprints: * https://review.openstack.org/#/c/99873/ ML2 OVS: portsecurity extension support * https://review.openstack.org/#/c/106222/ Add Port Security Implementation in ML2 Plugin * https://review.openstack.org/#/c/97715 NFV unaddressed interfaces The first two blueprints, besides appearing to be very similar, propose implementing the "port security" extension currently employed by one of the neutron plugins. It is related to this issue as it allows a port to be configured indicating it does not want security groups to apply. This is relevant because without an address, a security group cannot be applied and this is treated as an error. Being able to specify "skipping" the security group criteria gets us a port on the network without an address, which is what happens when there is no subnet. The third approach is, on the face of it, related in that it proposes an interface without an address. However, on review it seems that the intent is not necessarily inline with the some of the BZs mentioned above. Indeed there is text that seems to pretty clearly state that it is not intended to cover the port-without-an-IP situation. As an aside, the title in the commit message in the review could use revising. In order to implement something that finally implements the functionality alluded to in the above BZs in Juno, we need to settle on a blueprint and direction. Barring the happy possiblity of a resolution beforehand, can this be made an agenda item in the next Nova and/or Neutron meetings? Cheers, Brent ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev