| *** padkrish has quit IRC | 00:05 | |
| *** padkrish has joined #openstack-fwaas | 00:06 | |
| *** reedip_ has joined #openstack-fwaas | 00:25 | |
| *** reedip_ has quit IRC | 00:26 | |
| *** lnicolas has joined #openstack-fwaas | 00:40 | |
| *** hoangcx has joined #openstack-fwaas | 00:54 | |
| *** yushiro has quit IRC | 01:23 | |
| *** padkrish has quit IRC | 01:56 | |
| *** mickeys has quit IRC | 02:05 | |
| *** reedip_ has joined #openstack-fwaas | 02:09 | |
| *** padkrish has joined #openstack-fwaas | 02:18 | |
| *** reedip_1 has joined #openstack-fwaas | 02:30 | |
| *** reedip_ has quit IRC | 02:31 | |
| *** padkrish has quit IRC | 02:44 | |
| *** padkrish has joined #openstack-fwaas | 02:45 | |
| *** padkrish has quit IRC | 02:56 | |
| *** openstackstatus has quit IRC | 02:58 | |
| *** openstackstatus has joined #openstack-fwaas | 03:00 | |
| *** ChanServ sets mode: +v openstackstatus | 03:00 | |
| *** padkrish has joined #openstack-fwaas | 03:37 | |
| *** padkrish has quit IRC | 03:49 | |
| *** padkrish has joined #openstack-fwaas | 03:56 | |
| *** yushiro has joined #openstack-fwaas | 03:59 | |
| *** mickeys has joined #openstack-fwaas | 03:59 | |
| *** padkrish has quit IRC | 04:01 | |
| *** reedip_1 has quit IRC | 04:06 | |
| *** padkrish has joined #openstack-fwaas | 04:20 | |
| *** faizy has joined #openstack-fwaas | 04:35 | |
| *** reedip_ has joined #openstack-fwaas | 04:40 | |
| *** amotoki has joined #openstack-fwaas | 04:46 | |
| *** amotoki_ has joined #openstack-fwaas | 04:47 | |
| *** amotoki has quit IRC | 04:51 | |
| *** mickeys has quit IRC | 05:03 | |
| *** reedip_ has quit IRC | 05:06 | |
| *** padkrish has quit IRC | 05:35 | |
| *** lnicolas has quit IRC | 05:47 | |
| *** amotoki has joined #openstack-fwaas | 05:51 | |
| *** amotoki has quit IRC | 05:52 | |
| *** amotoki has joined #openstack-fwaas | 05:52 | |
| *** amotoki_ has quit IRC | 05:54 | |
| *** amotoki_ has joined #openstack-fwaas | 05:56 | |
| *** amotoki has quit IRC | 06:00 | |
| *** padkrish has joined #openstack-fwaas | 06:17 | |
| *** zoukeke has joined #openstack-fwaas | 06:19 | |
| *** carl_baldwin_ has joined #openstack-fwaas | 06:29 | |
| *** carl_baldwin has quit IRC | 06:33 | |
| *** carl_baldwin_ is now known as carl_baldwin | 06:33 | |
| *** hoangcx_ has joined #openstack-fwaas | 06:55 | |
| *** mickeys has joined #openstack-fwaas | 06:55 | |
| *** hoangcx has quit IRC | 06:57 | |
| *** mickeys has quit IRC | 07:00 | |
| *** amotoki_ has quit IRC | 07:05 | |
| *** amotoki has joined #openstack-fwaas | 07:05 | |
| *** mickeys has joined #openstack-fwaas | 07:10 | |
| *** yamamoto has quit IRC | 07:17 | |
| *** padkrish has quit IRC | 07:31 | |
| *** yamamoto has joined #openstack-fwaas | 07:53 | |
| *** yamamoto_ has joined #openstack-fwaas | 07:54 | |
| *** yamamoto has quit IRC | 07:57 | |
| *** yushiro has quit IRC | 08:01 | |
| *** hoangcx_ has quit IRC | 08:02 | |
| *** hoangcx has joined #openstack-fwaas | 08:02 | |
| *** yamamoto_ has quit IRC | 08:09 | |
| *** faizy has quit IRC | 08:11 | |
| *** faizy has joined #openstack-fwaas | 08:12 | |
| *** amotoki has quit IRC | 09:11 | |
| *** mickeys has quit IRC | 09:55 | |
| *** yushiro has joined #openstack-fwaas | 09:58 | |
| *** zoukeke has quit IRC | 10:06 | |
| *** hoangcx has quit IRC | 10:07 | |
| *** faizy has quit IRC | 10:13 | |
| *** faizy has joined #openstack-fwaas | 10:14 | |
| *** Trident has quit IRC | 10:29 | |
| *** Trident has joined #openstack-fwaas | 10:30 | |
| *** yamamoto has joined #openstack-fwaas | 10:35 | |
| *** yamamoto has quit IRC | 11:36 | |
| *** yamamoto has joined #openstack-fwaas | 11:39 | |
| *** faizy has quit IRC | 11:59 | |
| *** yamamoto has quit IRC | 12:39 | |
| *** faizy has joined #openstack-fwaas | 13:13 | |
| *** reedip_ has joined #openstack-fwaas | 13:19 | |
| *** yushiro has quit IRC | 14:13 | |
| xgerman | I think shared and public are meant to do the same thing but as reedip said grammatically shared is nicer. | 14:22 |
|---|---|---|
| *** padkrish has joined #openstack-fwaas | 14:24 | |
| *** reedip_ has quit IRC | 14:30 | |
| njohnston | I agree. I don't really know why it was ever important to rename shared to public in the first place. | 15:09 |
| *** reedip_ has joined #openstack-fwaas | 15:14 | |
| *** mickeys has joined #openstack-fwaas | 15:36 | |
| *** mickeys has quit IRC | 15:42 | |
| doude | Hi there! I'm looking to develop a FWaaSv2 drver for Contrail SDN controller and I've few questions | 15:51 |
| doude | Can I go there? | 15:51 |
| reedip_ | OpenContrail ??? | 15:57 |
| reedip_ | nice doude .... | 15:57 |
| reedip_ | :) | 15:57 |
| njohnston | sure, doude | 15:57 |
| reedip_ | doude : the best way would be posting your questions on openstack-dev mailing list, and this IRC | 15:58 |
| doude | yes OpenContrail, reedip_ | 16:03 |
| doude | Ok I'll also open a mail dev thread | 16:03 |
| doude | I read the FWaaS v2 spec https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html | 16:04 |
| doude | and I don't understand how fw and sg will live together on a VM port? | 16:05 |
| doude | from what I understood as it's 2 different APIs, rules are not reflect on each API, true? | 16:07 |
| reedip_ | doude : not sure about the last statement but as per the documentation written for FwaaS v2 | 16:09 |
| reedip_ | "When both FWaaS and Security Groups are associated with the same Neutron port, a packet must be allowed by both features, i.e. “deny” wins between FWaaS and Security Groups. This behavior is adopted to address typical use cases where a tenant network admin uses FWaaS to specify tenant wide rules that are to be applied regardless of the application, while an application deployer uses Security Groups to narrow down allowed traffic to only what is | 16:09 |
| doude | yes | 16:10 |
| doude | but rules I create on the FW API are not reflected on the SG API? | 16:11 |
| reedip_ | no , the rules would be different | 16:11 |
| doude | ok | 16:11 |
| doude | and the SG API limit port association to VM port? Router and other system port cannot be associated to a SG? | 16:13 |
| reedip_ | IIUC , yes SG are limited to VMs. njohnston, xgerman : let me know if I am wrong | 16:17 |
| xgerman | +1 | 16:18 |
| reedip_ | +1 for me being wrong ?? :P | 16:18 |
| xgerman | no, it’s limited to VM ports | 16:18 |
| njohnston | I concur, SG are limited to VM ports | 16:19 |
| reedip_ | :) | 16:19 |
| reedip_ | FW on the other hand can be extended to the other type of ports doude | 16:19 |
| xgerman | at least router | 16:20 |
| xgerman | other ports are a bit YMMV | 16:20 |
| doude | ok thanks | 16:20 |
| xgerman | yeah, router and VM are supported; other ports (e.g. SFC) are a bit YMMV | 16:21 |
| reedip_ | Need to see google whats YMMV | 16:21 |
| xgerman | Your mileage may vary | 16:21 |
| doude | I made a test on a devstack with ML2 and the error is not explicit: "'Port' object has no attribute 'security_groups'" | 16:21 |
| reedip_ | yes, thats what google told me about YMMV :P | 16:22 |
| reedip_ | doude : thats an interesting issue, did you check the traceback in /opt/stack/logs/q-svc.log? | 16:22 |
| reedip_ | and BTW did you have Reclone=True /Reclone=False in local.conf of devstack? | 16:23 |
| doude | it's a fresh devstack install from master branch | 16:24 |
| doude | I don't have any traceback in any Neutron service | 16:24 |
| doude | but I have that traceback from osc in debug: | 16:24 |
| doude | http://paste.openstack.org/show/598262/ | 16:25 |
| doude | I think OSC try to read the 'security_groups' attribute before trying to update it | 16:26 |
| doude | I try to set the curl command | 16:27 |
| doude | *I'm trying | 16:27 |
| reedip_ | doude : neutron error logs would be there in /opt/stack/logs/q-svc.log but yes, this seems like a different issue. Do you have a locally checked out python-openstackclient folder in /opt/stack ? | 16:27 |
| reedip_ | and do you have the latest code of python-openstacksdk ? | 16:28 |
| doude | yes | 16:28 |
| doude | and I don't have python-openstacksdk | 16:29 |
| reedip_ | okay, can you just check if python-openstacksdk and python-openstackclient are both pointing to master branch ( using git branch in those folders ) | 16:29 |
| doude | but openstacksdk==0.9.13 | 16:29 |
| doude | and python-openstackclient==3.8.1 | 16:29 |
| reedip_ | doude : okay, you may not have it, but it would nevertheless be checked out in /usr/local/python2.7/site-packages | 16:29 |
| reedip_ | doude : okay, give me some time, need to check it | 16:30 |
| doude | sure | 16:33 |
| reedip_ | doude : okay, my env also has 0.9.13 for openstacksdk and 3.8.1 wth openstackclient | 16:36 |
| reedip_ | I am just redeploying the devstack , because it has been in a statis state since yesterday, so need some time. If I see the same error, then it might be something new | 16:37 |
| doude | reedip_: I think is an issue on the osc 'port set' command | 16:40 |
| reedip_ | doude: I think so too, so just checking. | 16:41 |
| doude | I finally manage to send the update security group on a router port with a curl command and the neutron APi return me an explicit bad request error | 16:42 |
| doude | "BadRequest: Port security must be enabled and port must have an IP address in order to use security groups." | 16:42 |
| reedip_ | it should, on the router port | 16:42 |
| doude | yes | 16:42 |
| reedip_ | but the port which failed in your devstack shouldnt be a router port | 16:44 |
| doude | reedip_: I tried to do add sg on a router port intentionnally to confirm it is forbidden | 16:47 |
| reedip_ | doude : thats gr8 :) but right now I am more concerned about the devstack issue, if it exists :D | 16:49 |
| *** vishwanathj has joined #openstack-fwaas | 16:50 | |
| *** vishwanathj has quit IRC | 16:57 | |
| *** padkrish has quit IRC | 16:59 | |
| doude | ok | 17:00 |
| reedip_ | doude : the above issue came with port update ( the error reported by devstack ) | 17:04 |
| doude | ok | 17:08 |
| doude | I come back to the FWaaS v2 API spec. The spec https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html talk about 'address group' and 'service group' but I don't see it implemented in the actual code. Is it abandonned or postponed? | 17:10 |
| reedip_ | doude : I was able to replicate the issue. The port bieng updated by devstack seems to be a router port, and it wont have the security group. | 17:14 |
| reedip_ | So this issue is logically correct | 17:14 |
| doude | ok right | 17:15 |
| reedip_ | doude : I think the address_group is not yet there | 17:17 |
| doude | and the service_group? | 17:20 |
| reedip_ | not sure abt that doude | 17:21 |
| doude | ok, thanks | 17:21 |
| doude | I also saw it is possible to define a firewall group as a source or destination in a firewall rule. Is it still plan to do that? | 17:23 |
| reedip_ | doude: shouldnt we ? :) | 17:34 |
| doude | :) | 17:35 |
| doude | IMO yes | 17:35 |
| doude | but that have a huge impact technically | 17:36 |
| reedip_ | doude : your point being ( in terms of technical impact ) ? )( though njohnston, sridark , xgerman and others would be better in answering this ) | 17:38 |
| reedip_ | this -> this than me | 17:39 |
| *** mickeys has joined #openstack-fwaas | 17:41 | |
| doude | yes in my point of view of contrail developer | 17:41 |
| *** reedip_1 has joined #openstack-fwaas | 17:44 | |
| *** reedip_2 has joined #openstack-fwaas | 17:45 | |
| reedip_2 | sorry, disconnected :P | 17:45 |
| *** reedip_ has quit IRC | 17:46 | |
| *** reedip_1 has quit IRC | 17:48 | |
| *** SumitNaiksatam has joined #openstack-fwaas | 18:02 | |
| *** reedip_2 has left #openstack-fwaas | 18:19 | |
| *** padkrish has joined #openstack-fwaas | 18:51 | |
| *** SumitNaiksatam has quit IRC | 19:05 | |
| *** SridarK has joined #openstack-fwaas | 19:17 | |
| *** padkrish has quit IRC | 19:38 | |
| *** faizy has quit IRC | 19:39 | |
| *** padkrish has joined #openstack-fwaas | 19:56 | |
| *** padkrish has quit IRC | 20:00 | |
| *** padkrish has joined #openstack-fwaas | 20:00 | |
| *** padkrish has quit IRC | 20:14 | |
| -openstackstatus- NOTICE: Restarting gerrit due to performance problems | 20:19 | |
| *** mickeys has quit IRC | 21:49 | |
| *** mickeys has joined #openstack-fwaas | 22:03 | |
| *** padkrish has joined #openstack-fwaas | 22:21 | |
| *** padkrish has quit IRC | 22:22 | |
| *** padkrish has joined #openstack-fwaas | 22:22 | |
| *** yamamoto has joined #openstack-fwaas | 22:56 | |
| *** SridarK has quit IRC | 23:32 | |
| *** padkrish has quit IRC | 23:51 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!