)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"ec0019947ba18338bb3bdddf9a9de0ece51391bf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a8fdbba1_5594b303","updated":"2021-11-18 09:37:29.000000000","message":"NOTE: Roman Safronov tested manually this patch in our internal TripleO CI, with firewall_driver \"iptables_hybrid\" and \"openvswitch\". It is working as expected.\n\nThanks Roman.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":23804,"name":"Daniel Alvarez","email":"dalvarez@redhat.com","username":"dalvarez"},"change_message_id":"ced6212782b16dade2f22a8606b275585816ce9f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4d42751f_723402b1","updated":"2021-12-17 09:42:22.000000000","message":"I\u0027ll let Jakub +A","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"},{"author":{"_account_id":8655,"name":"Jakub Libosvar","email":"libosvar@redhat.com","username":"jlibosva"},"change_message_id":"3012fc065ed32fbd0b8088d36793af10e3cf3598","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0b5a8397_71407073","updated":"2021-12-20 18:05:10.000000000","message":"Let me know what you think, perhaps it\u0027s not worth it as tripleo doesn\u0027t comment options.","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"9352128aed95378a7a4c5bb672a1f18d01dc1b91","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c8db615d_bf24c126","updated":"2021-12-14 10:10:29.000000000","message":"Ping fellow reviewers","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"}],"tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml":[{"author":{"_account_id":8655,"name":"Jakub Libosvar","email":"libosvar@redhat.com","username":"jlibosva"},"change_message_id":"69eb8140dbdc090dc48ff7acd77fec9f6b6bc3ab","unresolved":true,"context_lines":[{"line_number":17,"context_line":"- name: Pre migration checks in the controllers"},{"line_number":18,"context_line":"  hosts: ovn-controllers"},{"line_number":19,"context_line":"  roles:"},{"line_number":20,"context_line":"    - pre-checks/controllers"},{"line_number":21,"context_line":"  tags:"},{"line_number":22,"context_line":"    - pre-migration"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"c85d8c8a_d7954f44","line":20,"range":{"start_line":20,"start_character":17,"end_line":20,"end_character":28},"updated":"2021-11-18 17:12:56.000000000","message":"I find this a bit confusing because the host are actually compute nodes. One can be mislead and think it\u0027s controller nodes.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"9f8d765e6bf3c0665ba4e67c5ab26318af32f45f","unresolved":true,"context_lines":[{"line_number":17,"context_line":"- name: Pre migration checks in the controllers"},{"line_number":18,"context_line":"  hosts: ovn-controllers"},{"line_number":19,"context_line":"  roles:"},{"line_number":20,"context_line":"    - pre-checks/controllers"},{"line_number":21,"context_line":"  tags:"},{"line_number":22,"context_line":"    - pre-migration"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d70ef615_ffed236d","line":20,"range":{"start_line":20,"start_character":17,"end_line":20,"end_character":28},"in_reply_to":"c85d8c8a_d7954f44","updated":"2021-11-18 17:18:45.000000000","message":"I can rename this as ovn-controllers (that is actually the inventory group name used)","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"}],"tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/controllers/tasks/main.yml":[{"author":{"_account_id":8655,"name":"Jakub Libosvar","email":"libosvar@redhat.com","username":"jlibosva"},"change_message_id":"69eb8140dbdc090dc48ff7acd77fec9f6b6bc3ab","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Read OVS agent firewall configuration"},{"line_number":3,"context_line":"  shell: \u003e"},{"line_number":4,"context_line":"     podman exec neutron_ovs_agent /bin/sh -c \"cat /etc/neutron/plugins/ml2/openvswitch_agent.ini | grep firewall_driver | cut -f2 -d\u0027\u003d\u0027\""},{"line_number":5,"context_line":"  register: ovs_firewall"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"- name: Check OVS agent firewall is not using \"iptables_hybrid\" option"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"70e6b7f3_2c5ed2a6","line":4,"range":{"start_line":4,"start_character":5,"end_line":4,"end_character":100},"updated":"2021-11-18 17:12:56.000000000","message":"Can we just grep /var/lib/config-data/puppet-generated/neutron ?","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"9f8d765e6bf3c0665ba4e67c5ab26318af32f45f","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Read OVS agent firewall configuration"},{"line_number":3,"context_line":"  shell: \u003e"},{"line_number":4,"context_line":"     podman exec neutron_ovs_agent /bin/sh -c \"cat /etc/neutron/plugins/ml2/openvswitch_agent.ini | grep firewall_driver | cut -f2 -d\u0027\u003d\u0027\""},{"line_number":5,"context_line":"  register: ovs_firewall"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"- name: Check OVS agent firewall is not using \"iptables_hybrid\" option"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9ae4ea6b_6de22d85","line":4,"range":{"start_line":4,"start_character":5,"end_line":4,"end_character":100},"in_reply_to":"70e6b7f3_2c5ed2a6","updated":"2021-11-18 17:18:45.000000000","message":"Right, this is the location used by the containers to read the config. That will be even faster.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"25834a16805602cec8e5bee270ab9c93a3429d01","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"bab49ce4_32e602cd","line":11,"updated":"2021-11-17 15:59:09.000000000","message":"Probably it could be done faster if You would run it just on one controller node and check in db with query like:\n\n    select * from agents where configurations LIKE \u0027%\\\"interface_driver\\\": \\\"iptables_hybrid\\\"%\u0027\n\nif it will return any agent. But from the other hand, migration is not something what is done often so waiting few minutes more for that check shouldn\u0027t be big deal.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":29350,"name":"Roman Safronov","email":"rsafrono@redhat.com","username":"rsafrono"},"change_message_id":"2bb4918c84a838fb05f39718d02fb191af795995","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"bdb4cbd0_4a8497b3","line":11,"in_reply_to":"0fcaf4e0_f9b80c20","updated":"2021-11-18 11:33:21.000000000","message":"I tested with 100 computes in the inventory (simulated with the existing 2 ones) it took 16 seconds. With 1000 computes it was about 4 minutes (with default forks set to 50).","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":8655,"name":"Jakub Libosvar","email":"libosvar@redhat.com","username":"jlibosva"},"change_message_id":"69eb8140dbdc090dc48ff7acd77fec9f6b6bc3ab","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"b7d72fb8_d2631b59","line":11,"in_reply_to":"25751645_095a7733","updated":"2021-11-18 17:12:56.000000000","message":"I know I\u0027m the one who recommended doing it via ansible. I like the SQL approach too - but it\u0027s a bit fragile. I did something similar in the past: https://review.opendev.org/c/openstack/neutron/+/791451/1/tools/ovn_migration/tripleo_environment/playbooks/roles/prepare-controllers/tasks/main.yml and was not happy with it because it relied on crudini and also is not readable and thus error prone.\n\nThat said, I think what Roman provided is quite a good result and can be even improved by increasing the fork. I think 4 minutes on 1k environment is a good number.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"3de5a28b1fe890afc51131a20625f7af729231cc","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"a70f96e4_4f2db3ff","line":11,"in_reply_to":"9e9e88fe_55b7d1da","updated":"2021-11-18 11:21:46.000000000","message":"Actually \"interface_driver\" is the driver type, in both cases \"openvswitch\".\n\nI should look for:\n  \"ovs_hybrid_plug\": true","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"94ea1622e52c33d26ad4999a796be76f0335ab6c","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"0fcaf4e0_f9b80c20","line":11,"in_reply_to":"a70f96e4_4f2db3ff","updated":"2021-11-18 11:25:19.000000000","message":"To be honest, I would rely on reading the configuration parameter.\n\nTo access to the DB I need (1) to identify and access to a controller, (2) find the DB container (in HA they have different names) and (3) execute a multiple command query inside the mysql CLI. Reading the config param is easier.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":23804,"name":"Daniel Alvarez","email":"dalvarez@redhat.com","username":"dalvarez"},"change_message_id":"8ed94eac573e3fb17aca13ba1cb9cd00a2553b23","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9e9e88fe_55b7d1da","line":11,"in_reply_to":"bab49ce4_32e602cd","updated":"2021-11-18 10:14:27.000000000","message":"I like this approach actually, for a huge number of nodes it can be slow. I\u0027m removing the +W to see what Jakub/Terry/others. Also not sure if we can/should assume that the tool will have access to the SQL database","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"e0c918f11f3ab015bb0d9221a92fa1d81869570f","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"e10790c5_0693b072","line":11,"in_reply_to":"bdb4cbd0_4a8497b3","updated":"2021-11-18 13:56:56.000000000","message":"Roman, thanks for your time testing this patch and providing this info.","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"},{"author":{"_account_id":5756,"name":"Terry Wilson","email":"twilson@redhat.com","username":"otherwiseguy"},"change_message_id":"10a5deb0a3a1fec8e3c6ea654029cbe175016b28","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  assert:"},{"line_number":9,"context_line":"    that:"},{"line_number":10,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d ovs_firewall.stdout\""},{"line_number":11,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"25751645_095a7733","line":11,"in_reply_to":"e10790c5_0693b072","updated":"2021-11-18 14:28:20.000000000","message":"lgtm!","commit_id":"1213d0420f2a7eb504fbc76cfa9a37481ae01a06"}],"tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml":[{"author":{"_account_id":8655,"name":"Jakub Libosvar","email":"libosvar@redhat.com","username":"jlibosva"},"change_message_id":"3012fc065ed32fbd0b8088d36793af10e3cf3598","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"- name: Parse OVS configuration file and store if \"iptables_hybrid\" is present"},{"line_number":8,"context_line":"  set_fact:"},{"line_number":9,"context_line":"    is_iptables_hybrid: \"{{ ovs_config_file.content | b64decode | regex_search(\u0027iptables_hybrid\u0027) }}\""},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"- name: Check OVS agent firewall is not using \"iptables_hybrid\" option"},{"line_number":12,"context_line":"  assert:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c560bdb9_f6bee01b","line":9,"range":{"start_line":9,"start_character":80,"end_line":9,"end_character":95},"updated":"2021-12-20 18:05:10.000000000","message":"perhaps we should include that pound sign is not on the line to avoid positive match on:\n\n # firewall_driver \u003d iptables_hybrid\n firewall_driver \u003d openvswitch","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"f750ff4e73d09a7063635ad155494b00358db077","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"- name: Parse OVS configuration file and store if \"iptables_hybrid\" is present"},{"line_number":8,"context_line":"  set_fact:"},{"line_number":9,"context_line":"    is_iptables_hybrid: \"{{ ovs_config_file.content | b64decode | regex_search(\u0027iptables_hybrid\u0027) }}\""},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"- name: Check OVS agent firewall is not using \"iptables_hybrid\" option"},{"line_number":12,"context_line":"  assert:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"5c0c0163_0dc85efa","line":9,"range":{"start_line":9,"start_character":80,"end_line":9,"end_character":95},"in_reply_to":"647cf9c5_b5fd3a4a","updated":"2022-01-07 14:58:36.000000000","message":"Done","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"a81ad8400f9277b2582bfa6a68c505f908cc61b7","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"- name: Parse OVS configuration file and store if \"iptables_hybrid\" is present"},{"line_number":8,"context_line":"  set_fact:"},{"line_number":9,"context_line":"    is_iptables_hybrid: \"{{ ovs_config_file.content | b64decode | regex_search(\u0027iptables_hybrid\u0027) }}\""},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"- name: Check OVS agent firewall is not using \"iptables_hybrid\" option"},{"line_number":12,"context_line":"  assert:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"647cf9c5_b5fd3a4a","line":9,"range":{"start_line":9,"start_character":80,"end_line":9,"end_character":95},"in_reply_to":"c560bdb9_f6bee01b","updated":"2022-01-07 13:57:39.000000000","message":"Right, I\u0027ll use lookup(\u0027ini\u0027) to simplify this search. It is more robust.","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"1e42ceba0580588ba5024c975ffc4604bc683337","unresolved":true,"context_lines":[{"line_number":12,"context_line":"  assert:"},{"line_number":13,"context_line":"    that:"},{"line_number":14,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d is_iptables_hybrid\""},{"line_number":15,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"0114d962_9877a370","line":15,"updated":"2021-12-07 09:35:32.000000000","message":"I don\u0027t know if it is really possible with Ansible or not but maybe we can improve that by failing on the first agent which will have iptables_hybrid driver. There is no need to check all of them in such case probably.\nBut it don\u0027t need to be done now. 4 minutes measured by Roman in IMO ok during the migration task.","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"},{"author":{"_account_id":23804,"name":"Daniel Alvarez","email":"dalvarez@redhat.com","username":"dalvarez"},"change_message_id":"ced6212782b16dade2f22a8606b275585816ce9f","unresolved":true,"context_lines":[{"line_number":12,"context_line":"  assert:"},{"line_number":13,"context_line":"    that:"},{"line_number":14,"context_line":"      - \"\u0027iptables_hybrid\u0027 !\u003d is_iptables_hybrid\""},{"line_number":15,"context_line":"    fail_msg: \"OVS agent firewall cannot be \u0027iptables_hybrid\u0027, migration will not continue\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"0f9e0145_7400aa59","line":15,"in_reply_to":"0114d962_9877a370","updated":"2021-12-17 09:42:22.000000000","message":"Agreed 😊\n4 minutes with how many nodes? this is likely going to be way longer at scale right?","commit_id":"1a1746affd14a4da676839600caff71aaa3e7272"}]}