Tuesday, 2017-10-03

« Monday, 2017-10-02 Index Wednesday, 2017-10-04 »
*** SumitNaiksatam_ has joined #openstack-fwaas01:32
*** SumitNaiksatam has quit IRC01:35
*** SumitNaiksatam_ is now known as SumitNaiksatam01:35
*** annp has joined #openstack-fwaas02:42
*** yamamoto has joined #openstack-fwaas02:45
*** lnicolas has joined #openstack-fwaas03:47
*** annp has quit IRC04:49
*** hoangcx has quit IRC04:51
*** hoangcx has joined #openstack-fwaas05:13
*** eezhova has joined #openstack-fwaas06:16
*** eezhova has quit IRC06:56
*** eezhova has joined #openstack-fwaas07:33
*** yamamoto has quit IRC09:24
*** yamamoto has joined #openstack-fwaas09:41
*** yamamoto has quit IRC09:46
*** yamamoto has joined #openstack-fwaas09:46
*** yamamoto has quit IRC09:51
*** yamamoto has joined #openstack-fwaas10:00
*** ivasilevskaya has quit IRC10:36
*** ivasilevskaya has joined #openstack-fwaas11:54
*** eezhova_ has joined #openstack-fwaas13:03
*** eezhova has quit IRC13:05
*** yamamoto has quit IRC13:16
*** yamamoto has joined #openstack-fwaas13:35
*** lnicolas has quit IRC13:45
*** SarathMekala has joined #openstack-fwaas13:53
*** chandanc has joined #openstack-fwaas14:04
openstackgerritSarath Chandra Mekala proposed openstack/neutron-fwaas-dashboard master: FWaaS V2 Horizon Dashboard  https://review.openstack.org/47584014:06
*** chandanc has quit IRC14:08
*** reedip_ has joined #openstack-fwaas14:19
reedip_meeting is on thursday , guys14:20
reedip_jfyi14:20
SarathMekalaoh.. ok.. thanks for the info14:20
reedip_i think i sent the email ?14:20
SarathMekalawas wondering what happened :)14:20
SarathMekalai may have missed it.. was on vacation last week14:21
reedip_:D14:21
SarathMekalais it the same time?14:21
reedip_yep14:22
reedip_but on #openstack-fwaas14:22
reedip_i.e. this channel14:22
SarathMekalaok.. thanks14:23
reedip_np :)14:23
*** SarathMekala has quit IRC14:23
*** yamamoto has quit IRC14:26
*** eezhova_ has quit IRC14:26
*** reedip_ is now known as reedip_afk14:27
*** reedip_afk has quit IRC14:35
*** reedip_afk has joined #openstack-fwaas14:45
*** reedip_afk has quit IRC15:13
*** reedip_ has joined #openstack-fwaas15:14
*** reedip_ has quit IRC15:15
*** reedip_ has joined #openstack-fwaas15:15
*** yamamoto has joined #openstack-fwaas15:26
*** yamamoto has quit IRC15:34
*** reedip_ has quit IRC15:51
*** reedip_ has joined #openstack-fwaas15:55
openstackgerritInessa Vasilevskaya proposed openstack/neutron-fwaas master: Introduce default firewall groups  https://review.openstack.org/42576916:00
reedip_ivasilevskaya : hi , what did you change in the current patch ?16:07
ivasilevskayareedip_ most major thing - I brought back ensure_default_fwg flag in create_firewall_group16:08
reedip_ivasilevskaya : exactly, I am thinking why :)16:08
ivasilevskayaI removed it arounf PS 33 and that wasn't a clever thing to do16:08
reedip_I am not sure about the importance of the default_fwg attribute in create_firewall_group16:09
ivasilevskayawell it is useful to know whether we are dealing with default fwg or not when we are inside create firewall group16:09
ivasilevskayaduring debugging and to align with neutron SG16:10
reedip_brb16:10
ivasilevskayaI had my doubts but yushiro's comment solved them. Are you stricty against it?16:11
ivasilevskayastrictly*16:11
reedip_ivasilevskaya : question . Do we need to be Exactly a duplicate of SG ? :)16:11
ivasilevskayaof course no16:11
reedip_I am not against it, but I dont find it very useful. I think it can be handled in other sense as well16:11
reedip_ok, one question , in Line#1047 , you put _ensure_firewall_group16:12
reedip_https://review.openstack.org/#/c/425769/45..46/neutron_fwaas/db/firewall/v2/firewall_db_v2.py@104716:12
reedip_Earlier it was _create16:12
reedip_Now, if the default fwg doesnt exist, _ensure wont create the default fwg , would it ?16:13
ivasilevskayano it will of course16:13
ivasilevskayait's ensure because it make sure that default fwg is there :)16:13
reedip_oh .. damn, I skipped a part of the code.. wait lemme recheck :)16:13
ivasilevskayamakes* sorry my keyboard needs cleaning16:13
ivasilevskayait would be cool if you could test it on devstack too. I'm coming up with the brand new env so it will take some time16:14
reedip_ok, I see you added a return of the fwg id. I think its a good addition, but it is not being consumed anywhere right now.16:15
reedip_:)16:15
reedip_ivasilevskaya : but I have one issue16:16
reedip_ivasilevskaya : you see you have already setup everything for creating the default fwg in _ensure_default_firewallgroup16:18
reedip_ivasilevskaya : I commented. I am very much inclined to fix it, but I would not like to take  it away from your hands . You are doing an exceptional job, and I am learning a few things from you :)16:26
*** eezhova has joined #openstack-fwaas16:41
*** SumitNaiksatam has quit IRC16:48
ivasilevskayareedip_ don't make me blush :)16:55
ivasilevskayareedip_ I've answered your comments16:56
reedip_naah , its a fact  :)16:56
reedip_ok, lemme check16:56
reedip_ivasilevskaya : Mentioned back  to you :)17:10
reedip_ivasilevskaya : We already have the check for the user in https://review.openstack.org/#/c/425769/46/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@22417:12
reedip_ivasilevskaya : and the DB functions are called AFTER the plugin17:13
reedip_ivasilevskaya : so I am still not sure if we need to guard it or not....17:13
reedip_IMHO I dont think its required. I am still open to it but need a better case to be properly convinced :)17:14
ivasilevskayareedip_ that's different. This create_firewall_group will be called as a result of user request but has nothing to do with default group creation on list command17:15
*** SumitNaiksatam has joined #openstack-fwaas17:15
reedip_ivasilevskaya : ok, but the reason why you have the default_fwg attribute is to guard against user requests, right?17:15
reedip_* the default_Fwg attribute in the create_firewall_group() function *17:16
ivasilevskayanot to guard only but to differentiate between 2 behaviors - system one (creation on list) and user one17:16
reedip_exactly. The user wont be able to reach here, because the plugin is already guarding the DB17:16
reedip_so the user one wont reach here, and therefore we do not need to have 2 different behaviors. We can keep them similar. Because "default" would only be requested by system. Not user.17:17
ivasilevskayaI believe the best solution to this dilemma is you push a patch and fix it the way you like and then other people vote for the approach they like more17:20
reedip_ivasilevskaya : yes, but I think if I can convince you, then it would be easier for me in the long run :)17:21
reedip_I dont disagree with your point but I do find that this is not necessary when the code flow wont ever hit it17:22
ivasilevskayareedip_ the test coverage is pretty poor so no one can be sure how code exactly flows :(17:22
reedip_if there is a flow where in the DB would be accessed before the Plugin, then I am for sure going to take up the default_fwg attribute. But as far as I can see, it wont17:22
reedip_ivasilevskaya : yes, we need some tempest test cases. Let me start working on tempest scenarios for this then. Then maybe we can experiment with it.17:23
*** eezhova has quit IRC17:23
ivasilevskayareedip_ I just note that this stuff was introduced by yushiro originally. Maybe for a stronger reason than I described. That was me who removed this logic so I thought it would be right if I brought it back17:24
reedip_but do know that we have less than 2 weeks for Q1 and if we do not close the patches, within 2-4 weeks, we would be in deep trouble17:24
reedip_ivasilevskaya : Ok, let me discuss with yushiro on Thuirsday during the weekly meeting then17:24
ivasilevskayaI believe the fastest way is "you file a PS with a comment", he comes and resolves a matter tomorrow :)17:25
reedip_if he comes tomorrow .. he has been a bit busy. I will do it though17:26
reedip_I will make a PS tomorrow evening, so that Thursday we have tme to discuss17:26
ivasilevskayareedip_ just make sure that test pass, please, so that no patchsets to fix tests follow. It will make the comparison a bit easier for reviewers17:27
reedip_I remember your shouting in the other PS.. ;)17:28
ivasilevskayareedip_ so sorry17:29
reedip_naah , you are correct...17:29
reedip_anyways, I better go.. today was leg day at the gym and now its taking its toll... good night, I will follow up with the PS tomorrow17:30
*** reedip_ is now known as reedip_leaving17:30
ivasilevskayareedip_ good night)17:30
*** reedip_leaving has quit IRC17:35
ivasilevskayaOh, cool, non-admin user can easily destroy default fwg by updating egress\ingress policy with --no-firewall-rule17:53
ivasilevskayaI believe default policy access isn't checked at all17:55
*** eezhova has joined #openstack-fwaas19:15
ivasilevskayadon't know when did that break but I added a couple of UT19:17
*** eezhova has quit IRC20:09
openstackgerritInessa Vasilevskaya proposed openstack/neutron-fwaas master: Introduce default firewall groups  https://review.openstack.org/42576920:32
*** ivasilevskaya has quit IRC20:47
*** SumitNaiksatam has quit IRC23:06
*** lnicolas has joined #openstack-fwaas23:27
« Monday, 2017-10-02 Index Wednesday, 2017-10-04 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!