Thursday, 2018-01-25

*** AlexeyAbashkin has joined #openstack-fwaas		00:11
*** AlexeyAbashkin has quit IRC		00:15
*** hoangcx has joined #openstack-fwaas		01:47
*** openstackgerrit has quit IRC		03:33
*** yamamoto has joined #openstack-fwaas		03:37
*** annp has joined #openstack-fwaas		03:49
*** AlexeyAbashkin has joined #openstack-fwaas		06:22
*** AlexeyAbashkin has quit IRC		06:30
*** threestrands_ has quit IRC		07:02
*** bbzhao has quit IRC		08:02
*** bbzhao has joined #openstack-fwaas		08:03
*** AlexeyAbashkin has joined #openstack-fwaas		08:04
*** jafeha has joined #openstack-fwaas		09:12
*** jafeha__ has quit IRC		09:14
*** yamamoto has quit IRC		10:04
*** bbzhao has quit IRC		10:26
*** annp has quit IRC		10:46
*** yamamoto has joined #openstack-fwaas		11:05
*** yamamoto has quit IRC		11:18
*** yamamoto has joined #openstack-fwaas		11:31
*** eN_Guruprasad_Rn has joined #openstack-fwaas		11:57
*** AlexeyAbashkin has quit IRC		11:58
*** AlexeyAbashkin has joined #openstack-fwaas		11:58
*** yamamoto has quit IRC		12:31
*** yamamoto has joined #openstack-fwaas		12:31
*** yamamoto has quit IRC		12:52
*** yamamoto has joined #openstack-fwaas		13:07
*** annp has joined #openstack-fwaas		13:25
*** eN_Guruprasad_Rn has quit IRC		13:31
*** openstackgerrit has joined #openstack-fwaas		13:39
openstackgerrit	OpenStack Release Bot proposed openstack/neutron-fwaas-dashboard master: Update reno for stable/queens https://review.openstack.org/537907	13:39
*** yamamoto has quit IRC		13:42
*** cleong has joined #openstack-fwaas		13:42
*** yushiro has joined #openstack-fwaas		13:57
yushiro	Hi	14:00
annp	hi	14:00
*** SridarK has joined #openstack-fwaas		14:01
yushiro	Hi~	14:01
SridarK	Hi FWaaS folks	14:01
yushiro	#startmeeting fwaas	14:01
openstack	Meeting started Thu Jan 25 14:01:58 2018 UTC and is due to finish in 60 minutes. The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.	14:01
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	14:02
*** openstack changes topic to " (Meeting topic: fwaas)"		14:02
openstack	The meeting name has been set to 'fwaas'	14:02
SridarK	yushiro: i think ur turn to run the mtg today ?	14:02
yushiro	#chair SridarK yushiro xgerman_	14:02
openstack	Current chairs: SridarK xgerman_ yushiro	14:02
*** chandanc has joined #openstack-fwaas		14:02
yushiro	SridarK, Hi. I think today is xgerman_ :)	14:02
*** yamamoto has joined #openstack-fwaas		14:02
chandanc	Hello all	14:02
SridarK	ah ok	14:02
yushiro	chandanc, Hi	14:02
chandanc	hello yushiro	14:02
yushiro	SridarK, However, if he is difficult to handle today, I will.	14:03
yushiro	Is xgerman_ online?	14:03
SridarK	sure yushiro and i am ok to run it - if it is difficult for u today as well	14:04
yushiro	Thanks SridarK :)	14:04
SridarK	I see xgerman_ online	14:04
SridarK	perhaps he had to step away	14:04
yushiro	yes, OK, let's start today's meeting.	14:05
SridarK	yes	14:05
yushiro	#topic Queens	14:06
*** openstack changes topic to "Queens (Meeting topic: fwaas)"		14:06
yushiro	Today is Q-3(FF) deadline.	14:07
yushiro	Thanks for your review	14:07
yushiro	Fixed default fwg bug, co-existing, netlink for ipv6, auto-association for default fwg	14:09
SridarK	+1	14:09
annp	+1	14:10
yushiro	Regarding co-existing patch( https://review.openstack.org/#/c/535237), we need reno I think.	14:11
annp	yes, I think so too	14:11
chandanc	yushiro: do you mean for the migration ?	14:11
yushiro	chandanc, annp Thanks for your discussion. I'm sorry I couldn't join your discussion more..	14:11
SridarK	i believe we managed to get all the patches in before the deadline	14:12
SridarK	we should also discuss https://review.openstack.org/#/c/536234/	14:12
annp	Let me confirm: Have we tested with co-existence in case of sg=iptables_hybrid and fwaas=OVS?	14:12
yushiro	SridarK, +1	14:12
yushiro	chandanc, not migration but 'why this fix is necessary or background'	14:13
chandanc	yushiro: ok got it	14:13
annp	yushiro, +1	14:14
yushiro	#link https://review.openstack.org/#/c/536234/	14:14
chandanc	for patch from annp	14:14
SridarK	yushiro: have we covered coexistence in one of our earlier L2 support patches (in terms of reno)	14:14
SridarK	if we describle that earlier and this if 535237 is just a bugfix - we may be ok - but chandanc can u pls double check that	14:15
chandanc	can we ask the end user to move to OVS based SG ? this is my only concern	14:15
SridarK	chandanc: also in regard to question from annp on testing coexistence with sg iptables and FWaaS L2	14:17
SridarK	i think we are good on that correct ?	14:17
chandanc	SridarK: annp yes i did try the iptable + OVS combination	14:18
yushiro	SridarK, Just a moment, let me check our previous patch.	14:18
chandanc	and the failed case was the one we discussed in length	14:18
chandanc	default firewall group should solve the issue	14:18
annp	chandanc, really?	14:18
SridarK	The failed case is mainly to due to conn track	14:18
chandanc	yes	14:18
chandanc	I still have to investigate one thing that annp pointed	14:19
annp	chandanc, actually, I don't think default fwg can resolve the issue.	14:20
annp	because there is one conntrack system on a compute node	14:20
chandanc	annp: can you describe the case ?	14:20
annp	Today I try to test with case:	14:20
chandanc	sure, please update the thread	14:21
annp	SG=iptables, FWaaS=OVS,	14:21
annp	VM1 with default SG allow ping, VM1 is attached with FWGA(No firewall rule)	14:22
annp	VM2 is attached with SG only,	14:22
annp	Ping from VM2 to VM1	14:22
annp	We can ping from VM2 to VM1	14:23
annp	VM2 is attached to default SG allow ping.	14:23
yushiro	SridarK, we said "if a port is associated with both firewall group and security group, then a packet must be allowed by both features.	14:23
yushiro	"	14:23
SridarK	yushiro: +1	14:23
chandanc	yushiro: +1	14:23
annp	I think the ct_state is change from new -> +est-repl,	14:24
xgerman_	o/	14:24
chandanc	annp: please confirm your findings	14:24
chandanc	once you have the results,	14:25
-openstackstatus- NOTICE: We're currently experiencing issues with the logs.openstack.org server which will result in POST_FAILURE for jobs, please stand by and don't needlessly recheck jobs while we troubleshoot the problem.		14:25
annp	So if vm2 is attached to default fwg with allow ping rules, I think VM2 can ping vm1.	14:25
chandanc	i can test on my system, but i have to redo my devstack	14:25
annp	So I think default fwg is not good solution.	14:26
annp	chandanc, please confirm the my test.	14:26
yushiro	However, I think previous reno says about SG for OVS...(Not explicitly mentioned)	14:26
SridarK	annp: but VM1 is attached to a FWG without a permit for icmp ?	14:26
annp	yes,	14:26
annp	I expect VM2 can't ping VM1	14:27
SridarK	annp: yes	14:27
SridarK	so it almost seems like FWaaS is bypassed ?	14:27
annp	SridarK, yes, Because conntrack state is changed.	14:28
SridarK	due to SG	14:28
SridarK	on iptables	14:28
chandanc	SridarK: annp i did not see this happen on my system, even with icmp allowed in FWG ping was not going through	14:29
annp	Have you test with my case?	14:29
xgerman_	same OS?	14:29
SridarK	chandanc: annp: So i think we need to confirm this	14:29
chandanc	yes, i will confirm	14:30
yushiro	VM1(defaulg SG allow:ICMP) (FWG A) ----- (default SG allow:ICMP)VM2	14:30
annp	yes, ping from VM2 to VM1 is ok?	14:31
annp	I don't have my system at home. But I just tested in my office.	14:31
yushiro	OK, I'll test it on Ubuntu.	14:32
chandanc	annp: as per my tests VM2 to VM1 ping fails, let me confirm	14:33
SridarK	So on this case, one observation was that without VM2 having a default FWG (even if we had permit for icmp) things will fail	14:33
chandanc	yes, that is the test i did	14:33
SridarK	chandanc: ^^^ this is what u had observed correct ?	14:33
chandanc	SridarK: +1	14:33
annp	chandanc, hmm, let wait yushiro confirm. I think we should test careful	14:34
chandanc	annp +1	14:34
yushiro	annp sorry, I confused. expect: failed to send ICMP from VM2 --> VM1 actual: success ?	14:34
annp	yushiro, yes, I expect failed	14:35
yushiro	OK, I see. will try it.	14:35
chandanc	annp: can you send your test case in the same mail thread with expected result	14:35
annp	yes, I will to in tomorrow.	14:35
yushiro	annp, chandanc +1	14:35
SridarK	ok lets confirm the difference in findings on this scenario	14:36
chandanc	ok	14:36
annp	However, I think my patch still necessary :)	14:36
SridarK	and we can continue the email thread	14:36
SridarK	annp: on ur patch lets discuss that	14:36
SridarK	annp: so u will prevent this scenario all together ?	14:37
annp	Sridark, I mean we should prevent linuxbridge port	14:37
chandanc	annp: you mean hybrid plug right ?	14:37
SridarK	annp: yes	14:38
annp	chandanc, no, if hybrid plug work corrects in coexistence mode. we no need to prevent.	14:38
chandanc	oh	14:38
xgerman_	+1	14:38
annp	however, we should prevent linuxbridge port	14:38
chandanc	annp +1	14:39
SridarK	annp: so if we are doing coexistence we need both sg and FWaaS to be using ovs	14:39
chandanc	i agree	14:39
SridarK	annp: and ur patch validates that	14:40
chandanc	if port.binding.vif_type == pb_def.VIF_TYPE_OVS:	14:40
chandanc	if not port.binding.vif_details[pb_def.OVS_HYBRID_PLUG]:	14:40
chandanc	return True	14:40
chandanc	i was confused by this	14:40
annp	SridarK, I mean mechanism driver= ovs or linuxbrige	14:40
yushiro	SridarK, +1 This is our target	14:40
annp	chandanc, we can remove if f not port.binding.vif_details[pb_def.OVS_HYBRID_PLUG] if hybrid port test ok	14:40
chandanc	annp: i am more confused now	14:41
chandanc	SG=iptables, FWaaS=OVS case you mmentioned	14:41
chandanc	is it iptables or iptables_hybrid	14:42
annp	my patch intend to prevent all ports, which doesn't support by fwg	14:42
yushiro	annp, In current validation, there is no relation for mechanism driver. I think it relates firewall_driver for security_group.	14:42
*** hoangcx_ has joined #openstack-fwaas		14:42
yushiro	firewall_driver for security_group are 'noop', 'iptables_hybrid' or 'openvswitch'.	14:42
chandanc	yushiro: yes +1	14:43
annp	yushiro, current source code in master branch?	14:43
annp	or my patch?	14:43
yushiro	annp, I mean ur patch	14:43
annp	No,	14:43
annp	my patch intend to prevent all ports, which are not supported by FWG at API side.	14:44
annp	Let me take an example:	14:45
annp	There is 2 compute node:	14:45
annp	compute A(ml2=LinuxBridge),	14:45
annp	ComputeB(ml2=OVS)	14:45
yushiro	annp, Yes, I know. However, a point is different. My point is a parameter 'vif_details' of the port relates firewall_driver.	14:45
annp	yushiro, We can remove vif_details line if all tested with SG=iptables_hybrid and FWaaS(OVS) passed in code coexistence.	14:47
chandanc	annp: am i correct in saying that your patch will allow only OVS + OVS case	14:47
annp	chandanc, yes.	14:47
yushiro	chandanc, I think so.	14:47
chandanc	ok, in that case	14:47
chandanc	i have only one concern	14:47
chandanc	can we ask the user to move SG to OVS	14:48
annp	Because I need your confirm with hybrid port test.	14:48
chandanc	SridarK: xgerman_ do you think operators will agree	14:48
SridarK	i have one clarfication before	14:49
chandanc	SridarK: sure	14:49
xgerman_	hard to know — we need to chat with them at one of the summits	14:49
chandanc	hmm	14:49
SridarK	annp: so on Compute A - we are running SG on iptables and Compute B SG on ovs ?	14:49
yushiro	chandanc, Yes, that is your concern. I think it's so difficult to modify existing system. So, preparing a new compute node with OVS ... or	14:50
yushiro	hmm	14:50
annp	SridarK, compute B can running with sg=iptables_hybrid or ovs	14:50
chandanc	yushiro: agree if there is a staged migration path	14:50
annp	From my understanding, compute A will running SG=iptables	14:51
annp	with ml2 driver = openvswitch, there is 2 solution for SG: SG based iptables, it called iptables_hybrid	14:52
annp	and SG based OVS	14:52
chandanc	yes	14:52
SridarK	agreed	14:53
yushiro	Sorry guys, there is 8 minutes left. Could you please continue after this meeting?	14:53
annp	So, My patch will prevent ports, which are landed at compute A	14:53
SridarK	ok	14:53
chandanc	annp	14:54
chandanc	i dont agree to prevent iptables based ports	14:54
SridarK	yes lets put the specifics down on the email thread as well	14:54
yushiro	#topic Open Discussion	14:54
chandanc	hybrid is the only issue	14:54
*** openstack changes topic to "Open Discussion (Meeting topic: fwaas)"		14:54
SridarK	ok one quick update in parallel	14:54
SridarK	regarding the service driver Patch from doude	14:55
doude	hi	14:55
yushiro	Yes.	14:55
yushiro	Hi	14:55
SridarK	doude: pls go ahead	14:55
doude	ok	14:56
doude	so given the deadline we decided to postpone it for R	14:56
SridarK	we agreed that doude will use an out of tree implementation for now for internal requirements	14:56
doude	and for our customers we will write our own FWaaS service plugin for queens which implements my proposed interfece driver	14:57
SridarK	doude: and u will file a bp and we will get this in R-1	14:57
xgerman_	+1	14:58
SridarK	doude thx for ur understanding	14:58
doude	about that bp, how should proceed?	14:58
chandanc	+1	14:58
doude	*I	14:58
SridarK	doude pls file it and u can pretty much replicate the contents that u have in ur bug	14:58
SridarK	doude: and we can discuss more offline	14:59
doude	ok	14:59
yushiro	Is it better to file RFE?	14:59
yushiro	BP ? Sorry, I just confused.	14:59
SridarK	ah yes maybe	14:59
SridarK	yushiro: blueprint	14:59
SridarK	sorry	14:59
yushiro	NP. Ah, OK, BP not RFE	15:00
SridarK	annp: can u pls continue ur description after the mtg or put it in the email thread	15:00
doude	what's RFE?	15:00
SridarK	either is ok, xgerman_ which do u think is better ?	15:00
yushiro	doude, Request For Enhancement. It's same as bug report but adding a tag named 'rfe'.	15:01
xgerman_	I think RfE is less work and likely sufficient	15:01
yushiro	SridarK, xgerman_ I have 1 quick .	15:01
yushiro	oh, it's time !	15:01
xgerman_	we can go over :-)	15:01
SridarK	xgerman_: ok makes sense	15:01
SridarK	oh yes we can :-)	15:01
yushiro	let's close weekly meeting now but please continue 1 thing :)	15:02
SridarK	ok	15:02
annp	SridarK, I think we can continue discuss after meeting	15:02
yushiro	Thanks.	15:02
yushiro	#endmeeting	15:02
*** openstack changes topic to "Queens (Meeting topic: fwaas)"		15:02
openstack	Meeting ended Thu Jan 25 15:02:21 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	15:02
openstack	Minutes: http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-01-25-14.01.html	15:02
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-01-25-14.01.txt	15:02
SridarK	annp: ok	15:02
openstack	Log: http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-01-25-14.01.log.html	15:02
yushiro	start meeting :)	15:02
annp	:)	15:02
annp	chandanc, How fwg can work with ports, which are landed at compute A?	15:03
annp	with current fwg l2 driver?	15:03
chandanc	if compute A is running linuxbridge, it will not work	15:03
yushiro	SridarK, xgerman_ I and hoangcx are trying to support fwaas logging feature. In this RFE https://bugs.launchpad.net/neutron/+bug/1720727	15:03
openstack	Launchpad bug 1720727 in neutron "[RFE] (Operator-only) Extend logging feature to support for FWaaS v2" [Wishlist,Triaged]	15:03
annp	yes, So I think we should prevent ports, which are landed at compute A	15:04
SridarK	yushiro: +1	15:04
SridarK	and we can target that for R ?	15:04
yushiro	SridarK, xgerman_ miguel wants to know our FWaaS activity ( Whether fwaas v2 implementation has been finished or not)	15:04
chandanc	annp: i agree	15:04
SridarK	yushiro: i think we can state that it is done	15:04
SridarK	now we are fixing bugs	15:04
yushiro	SridarK, xgerman_ Yes, I'd like to implement until R.	15:04
xgerman_	+1	15:04
yushiro	SridarK, yes,	15:04
xgerman_	yes	15:05
SridarK	yushiro: +1 for R	15:05
SridarK	i think we can kick of R with doude 's changes	15:05
yushiro	SridarK, xgerman_ Therefore, could you please comment this RFE about fwaas status?	15:05
SridarK	to avoid churn on code	15:05
yushiro	Miguel is waiting fwaaS member's reply :)	15:05
annp	OK, So let confirm with case compute B with sg=iptables_hybrid and Fwaas=OVS. Then we can consider remove the line https://review.openstack.org/#/c/536234/6/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@271	15:05
xgerman_	ah, I told him in person ;-)	15:06
annp	chandanc, right?	15:06
yushiro	xgerman_, sweet :)	15:06
chandanc	annp: yes	15:06
xgerman_	ok, will need to dig up the blueprint then	15:06
yushiro	SridarK, Yes, So, I think it's better to merge doube's patch super ASAP	15:06
annp	chandanc, :) OK.	15:07
SridarK	i think we can state the important aspects of the original bp are in	15:08
SridarK	i will comment to that effect as well	15:08
yushiro	OK thanks.	15:08
chandanc	annp: preventing linuxbridge port is good, as we dont have a driver that can support linuxbridge ports, so i am in agreement on that.	15:09
chandanc	i will test hybrid and update the thread	15:09
*** hoangcx_ has quit IRC		15:09
yushiro	chandanc, +10	15:09
annp	chandanc, in case of there is some issue with sg=iptables_hybrid and fwaas=ovs, we should consider prevent them temporary at least we have way to support that	15:09
chandanc	annp: agree	15:10
annp	chandanc, So I think we're same page now :)	15:10
chandanc	annp, please check on your side if noop driver works for SG	15:10
yushiro	annp, chandanc let me sync up with you guys. Now we're trying to investigate iptables_hybrid(SG) + FWG.	15:11
annp	chandanc, sure. I will check it and update the thread also	15:11
chandanc	as that can be the last option for us if people dont want to move SG to OVS	15:11
annp	yushiro, yes.	15:12
chandanc	yushiro: is associate default FWG true by default	15:12
SridarK	yushiro: added a comment	15:12
yushiro	chandanc, Default is 'False'	15:12
chandanc	ok	15:12
yushiro	chandanc, If you'd like to associate automatically, please configure /etc/neutron/plugins/ml2/ml2_conf.ini	15:13
chandanc	yushiro: sure i understand	15:13
annp	yushiro, configure in /etc/neutron/neutron_fwaas.conf?	15:14
SridarK	ok and once u have completed the investigation pls update the thread and we can file a bug to track this	15:15
chandanc	SridarK: sure	15:15
yushiro	whatever is OK if you load the file to start q-svc.service	15:15
annp	Frankly to speaking, I don't like enforcing all ports to default FWG. But if there is no way,...	15:15
SridarK	and we can use that bug to get in annp's validation patch or a variation of that	15:16
annp	yushiro, got it	15:16
yushiro	annp, You mean you don't like default SG either, right?	15:16
xgerman_	https://blueprints.launchpad.net/neutron/+spec/fwaas-api-2.0	15:16
xgerman_	can’t change anything there	15:16
xgerman_	except adding more work items	15:17
yushiro	xgerman_, +1	15:17
annp	No, I mean I don't mean that	15:17
annp	I don't like the solution use default fwg to fix communication between VMs	15:18
annp	in case of sg=iptables_hybrid, fwaas=OVS	15:18
yushiro	aha, I see what you mean	15:19
annp	yushiro, :)	15:19
yushiro	OK, I'm trying to test devstack with iptables_hybrid + ovs	15:19
annp	yushiro, +1	15:20
chandanc	ok yushiro	15:20
xgerman_	+1	15:20
*** SridarK has quit IRC		15:20
xgerman_	need to get some coffee ;-)	15:20
yushiro	:)	15:20
yushiro	OK guys, see you ~	15:21
annp	Thanks all, See you	15:21
chandanc	yushiro: annp please update the thread	15:21
chandanc	i have to log out now	15:21
annp	chandanc, sure!	15:21
yushiro	OK	15:21
*** yushiro has quit IRC		15:21
chandanc	thanks all	15:21
*** chandanc has quit IRC		15:21
annp	bye bye	15:22
*** annp has quit IRC		15:22
*** SridarK has joined #openstack-fwaas		15:24
*** yushiro has joined #openstack-fwaas		15:38
*** yushiro has quit IRC		15:48
-openstackstatus- NOTICE: logs.openstack.org is stabilized and there should no longer be new POST_FAILURE errors. Logs for jobs that ran in the past weeks until earlier today are currently unavailable pending FSCK completion. We're going to temporarily disable successful jobs from uploading their logs to reduce strain on our current limited capacity. Thanks for your patience !		16:01
*** jafeha has quit IRC		16:17
*** openstackstatus has quit IRC		16:41
*** openstackstatus has joined #openstack-fwaas		16:42
*** ChanServ sets mode: +v openstackstatus		16:42
*** jafeha has joined #openstack-fwaas		16:46
*** yamamoto has quit IRC		17:40
*** yamamoto has joined #openstack-fwaas		17:43
*** yamamoto has quit IRC		17:44
*** yamamoto has joined #openstack-fwaas		17:44
openstackgerrit	Merged openstack/neutron-fwaas-dashboard master: Updated from global requirements https://review.openstack.org/535027	17:52
*** AlexeyAbashkin has quit IRC		17:59
*** SumitNaiksatam has joined #openstack-fwaas		18:04
*** SridarK has quit IRC		18:07
*** yamamoto has quit IRC		18:42
*** SumitNaiksatam has quit IRC		19:18
*** AlexeyAbashkin has joined #openstack-fwaas		19:24
*** AlexeyAbashkin has quit IRC		19:28
*** yamamoto has joined #openstack-fwaas		19:43
*** reedip has quit IRC		19:52
*** yamamoto has quit IRC		19:55
*** reedip has joined #openstack-fwaas		20:04
*** cleong has quit IRC		21:32
*** yamamoto has joined #openstack-fwaas		22:05

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!