Add a meeting Rate this page

A

You.

A

You.

B

Good morning, hi ed, hey.

C

Hello: everyone there was some confusion, I was on an airplane and Friedrich was ill and yeah.

D

Come on public holidays, so.

E

I've.

D

Consequences.

E

Yeah- and it was the confluence of events, so.

C

Yeah I've been was traveling to somebody thing internally last week and so got very, very, very distracted but I think back to moving things forward again.

C

Cole, does someone want to I guess I can share the oh hey welcome morning Nikolai morning.

C

I'm just having my first cup of coffee so I'm a little bit still a little bit.

D

Out of it, I'm gonna be jealous because it's almost a night for us and hang a coffee all nights, not very good. No.

C

No I, usually they they don't have coffee. Usually after 2 p.m. my time, just a low-rise. It doesn't go well. So all right, let me see if I can share the issue and P are tracking.

C

Google Chrome issue in PR tracking.

F

Morning, Frederick yeah.

C

That was that was just commenting that I am just having my first cup of coffee, but it's even you earlier for you. So.

F

Yeah I was gonna: ask if you can take I could take the meeting today because I had a 2:00 a.m. you see that required me to drive.

F

But yeah I was gonna. Look at dropping out for there today, yeah.

C

We'll figure something out on like I, said I'm kind of racking cool so going through the board, starting with some progress.

C

So we got a mechanism necessarily see actually return, 0 value for parameter instead of error. Oh.

B

It's related to GDP senior convention about return parameters.

C

Okay,.

C

Could you say more I'm not quite following oh.

B

Can you open the my P are related to my god, remote mechanism into a baa-baa.

B

Yeah.

B

Let's open the car sure.

B

Yes- and here you suggest, to use your PC convention.

B

I have implemented this for the servicios six okay.

C

That makes perfect sense, apologies for being so slow this morning, yeah because that does help a great deal, because otherwise you might get very complicated, stanzas things so and if memory serves yeah, so I mean it that's a fairly common convention. So okay, that's been explained to be a 36, and then we explain I'll go ahead and take a look at those today and then you had some news on the.

C

Core DNS, the fan-out, plugin stuff threes, I know we talked a little bit about this, but it's probably better to talk about it in the broader community. A bit. Oh.

B

Yes, in short, coordinators, guys suggested using forward plugin with zones handling instead of an hour plugin.

B

This way looks.

B

Good for us- and it also can simplify our in a same specific part of the nest and I have.

E

Prepared PR.

B

For this and.

E

It's.

B

Not partial CI yet but I'll work on this.

D

Did you have some use case for using a fan-out? Oh, it's, okay, to use a forwarder for now, Oh.

B

Actually, if the user can correctly configure his Jeunesse configs in this case forward, dragon will work fine, but we could face some problems with.

B

We can face the problems with recursive servers, but I actually can't find any case where the forward plug in this zone as handling will not work. As expected.

C

Yeah.

C

The discussion with the Cordillera spokes and they basically said you know we should describe what we're trying to do what we were trying to do and he said hey.

C

You know you can just if you've got usually nerd dns servers, you can use the zones so that, if I come in with the network, service and I say, look I'm, providing DNS or foo.example.com MIDI NS contacts, then we can simply put a record in for food on example.com and do our lookup there and be you know the distance I think about as good as we're going to get.

C

We still have the the underlying problem that you know. If people are doing D announce, then you they may be representing for the same domain name different IPS internally and externally, but that's going to be a problem, no matter what we do.

C

So, oh.

B

Yes, you're right I can suggest some solution by swak after the meeting. If you very.

C

Interesting, yes, okay, cool, and then there was a comment here: Denise about cross connect, server, sitting empty statistics for metrics. Yes,.

B

Had a mojit PR related to speech, metric service to start spoiling service from VPP and looks like the problem is solved and I ask it Ivana to check this. Oh.

D

Yeah I also could confirm my test, but pong service is working. Fine, perfect.

C

Take a look and see if that's been resolved, my general rule of thumb is I prefer possible to get confirmation to the person who opened the bud. That, in fact, is their problem because I'm sure we've all been there, where you did your little best and you buy a new face. Didn't everybody agree, be fixed, didn't even vaguely fixed it.

C

Okay and then add option to break tests after several festivals. This was a cloud testing.

A

And now I'm waiting, my reviewers to approve.

C

Cool thanks a lot I'm, the last person who can give a little bit later review cool, alright.

C

So in progress, so this is another one that you'd open. The prettiest thing by hosting could not be successful chain tests.

B

All this is a simple problem which was found by test in the same suits I.

E

Found.

B

That some chain I can make pink, is not success. I have added steps to reproduce.

B

Okay, oh, can you open the issue all right.

D

Yeah, it looks simple, but, as we discussed internally, it's um happening inside a VPP and pink is not going.

C

Okay, so for a creative business to know, everything should be successful for client in points.

C

So I'm, not quite following a little the fact that thing is not going for through it. How is this related to the hostname thinking about yesterday? Oh.

B

It's test related to Denise, just using Daenerys and tries pink NSE by hostname in in the test, and se just have some DNS config. For this specific name host and just through trying pink NSE by its hostname, okay and yeah, we face problems at with chain tests in suits. It can fail on shy and I.

B

Just add added issue for this.

C

Okay, so I guess the question is the problem DNS resolution or is the problem with I.

B

Think it's related to VPP I, just quickly. Look it into logs and I found that that forward here has very huge works and I think we need to investigate this problem because.

F

I.

B

Have attached the walks.

B

Okay,.

D

I, mostly.

C

Wanted.

D

To switching to seeds for integration tests when we reuse the same forwarder and same network service manager- and we come to issues like this okay.

E

Okay, that's that's.

C

Starting to make a bit more sense than okay.

C

Okay, so you're, currently digging into if I'm, correct,.

B

Yep, yes,.

C

Adding the leak for checking goroutines on the CI.

C

I've.

A

Had this go leak, gentleman take and it showed that there are leaks in he'll, clean and the manatorian and now I'm trying to figure out how to analyze properly without leaks you can he walks on shy.

C

So I think overall, this is you know. Checking for leaks is definitely a good thing. It's so you're saying he'll and monitor are leaking. It's about an expected, go routines. Leave the tests.

C

So it's possible that what's going on here, is that the tests are not properly providing the right clothes thing, because I know that one of the things that alia did was he switched over to at least he'll and I think perhaps also monitor having a chain level context that you could cancel in order to call the event the various go routines to quit. So you may want to take a look and see if, in fact, the tests themselves are are closing that con are canceling that context at the end where's the leak.

D

Yeah yeah, it's probably.

C

But now I think gotta go go. Leaks is a wonderful thing because we're wanting to run long term. We definitely know what to be leaking. Go routines.

C

Okay, so the command that we're service manager, application and testing stuff I saw that going by.

D

Mostly public centric isn't PTO, unfortunately, today and I plan to have him, so the general idea is to have network service manager based on a new is the key chain elements, and that required trail elements to is the key yep.

C

No I think I do have a question for guys for you guys this is. This is more than anything sort of like trying to sort out whether or not I'm, making things too hard. You would look to calling this command asking network service manager, which is a perfectly fine name. I've been thinking about telling a command. That's key! That's never service manager, because it's kubernetes related I, don't know if that would be overcomplicated, naming or whether or not it communicates simply used for valuable, so like input on that would be super. Welcome for my side,.

D

Yeah, actually we can choose any name if you have some document describing naming policy for all of his applications. So it's a good time to use a better name.

B

Service major pod contains three pots: yeah.

D

It's a go into current innocent. The container.

D

Application independent from the brunette's.

C

Okay, so I mean we can we definitely saw that out. I know, for example. Well, but is it actually doesn't make any sense? It turns out that we make are less incredibly hard and painful. I pulling out the network service manager device plug it into a separate, a separate container that just makes like really hard for another reason. So when doing this, I was thinking of actually just having it exposed advice, playin piece directly from the network service manager command, because there's literally no point in pulling it apart separately and then.

D

I think we discussed it before already. We needed device plugin only if we want to have a workspace if a mini and so on, and then point mostly so probably we could do the same way as a kubernetes do and have just one single socket. Don't.

C

Foreignness.

D

Nsm and how.

C

I would love to get to something like that. The the tricky problem is, how do I get the read so the on the one side you've got one socket where the network service manager is listening right, yeah. On the other side, you need to also have a socket where the NSA is listening. Yeah.

D

But for kubernetes we also need the same way, so we can just create sound file inside the folder mount it to both of us and provide it to a nest manager. So it could connect to annecy yeah misako file.

C

Again, how do you, how do you get there? The tricky problem you run into is that if you want to get per pod directories to put the socket file in, then you need to have some way of getting those per pod per fantasy at I.

D

Think they could just have one folder, because we have a security right now. It's not a problem with managing connection restrictions to be socket files, so.

C

If we have one folder, then effectively one, if you have one folder, then that means that, for example, a rogue pod can mount a denial-of-service against a Tennessee that may not be prepared for it, for example, right effectively.

C

If you have C, if you look at the way that all the kubernetes things are doing this either a you're only ever talking northbound right so you're only ever having somebody talk to the one socket, for example, when you're talking to kubernetes api locally or you know for the api server or you are having the situation where, if you look at what the resource device, the device plug-in and stuff you end up, registering a socket going back via the device plug-in, so you basically have a registration call.

C

Will you say this is my socket that you go and deal with this so.

E

I definitely want.

C

To investigate see if we can get to this place, I guess the point is I'm not seeing 100% how we get there yet. Does that make sense, yeah.

D

I, don't think any problems here actually, during our experiments, yeah.

C

So yes, I would I would like to know how we are getting per pod mounts done so that we don't have pods cross talking to each other without a device player.

D

Now, in our internal discussions, it was about mounting two folders one for an SM server socket and one shared folders for any of any C's to put the NSC client socket inside it. Second, one.

C

That worries me very badly because there that that folder opens up a huge set of potential security issues.

D

Right so many.

C

Sockets.

D

For gonna see it will be just security servers. We face itself right.

C

But just just let me just give you a very very straight for an example right, so you are pod one you laid on a client socket in that bat, folder I am pod. I, have a nefarious pod I, delete your file socket and replace it with my own.

C

Now you have gone and registered the fact that you actually have this. This network service you're providing but I, have now subbed myself in to receive the calls to you, because I can. Okay.

D

Okay, okay solo it to delete yeah, it could.

C

Be a problem yeah so I mean there's all mean we can potentially look around and see if people have found other good ways of solving this, but the sort of very naive of saying well, how way of saying we'll have one folder for all the clients to have their sockets?

C

How does a real potential to have issues you know in terms of have issues with security, because again you can? You can literally go and catch other people's messages and receive other people's calls and prevent people from being able to reach the legitimate network service endpoint. There.

D

Yeah: okay, okay,.

C

So but no I mean there there there I understand exactly what you're trying to get rid of there. It would be great. Maybe there is a smarter idea out there, but I don't think it's as simple as just have a separate folder for the clients to drop their sockets it and have all the yeah.

D

We discussed a few warrants, actually, probably the most good will be to have endpoints to be shared on a TCP socket any of a TCP socket available on a node. So unless manager will connect using a TCP, it's the safest way, I think yeah.

C

One thing I want to think through there is that it actively precludes us doing any kind of CNI intercept, because now we cannot function independent of the CNI.

D

Yeah okay, I mean.

C

I actually actively encourage trying to see we can figure out some smarter in this direction, because I think that would be wonderful. um There.

E

Yep.

C

I want to make sure that we deal with here, because it would actually make me greatly happy to move away to to just something quite a bit simpler. So.

D

Yeah, okay, well,.

C

Alright, you know, in fact, actually one of the things that we can do, that it's basically very, very cheap along the way for this that I have been doing is in a lot of the places where we have been basically using Sakai files, I've been using URLs with UNIX URL, because then in it, when we do get to the point where we've figured out a way that doesn't involve files, um we don't have nearly as much recoding to do it is. We've got a mechanism, this generic hood.

C

Cool awesome see we're got remote support for EBP agent for der. How is that going grace.

B

Here if I said that VPP is compatible with my god because of I've packet works on over to my regard of works on where three- and at this moment I trying to add to I've packet, I possible to work as our three and at this moment moment, I am I, not faced a twister problems. Yet this way and I'll, let you know about any updates. You.

C

Know that would be awesome because, in a brief glance that I did through it looked like a packet. Probably do the right thing if you just if in fact be a packet plugin for EBP was good to do the right thing. It's just the guys who had done it had only been thinking in terms of the eath pairs, and so they sort of coded it to do the LC thing. So it seemed possible you're, potentially possible, but I'm glad you're digging into it.

C

We're riding up against the edge of the hour. Shall we all go jump on the community meeting yep all.

E

Right talk to you later, yep.

E

You.
youtube image
From YouTube: CNCF Network Service Mesh PR Issue Review Weekly Meeting 2020-03-10

Description

CNCF Network Service Mesh PR Issue Review Weekly Meeting 2020 03 10