Thursday, 2018-04-05

« Wednesday, 2018-04-04 Index Friday, 2018-04-06 »
*** yamamoto has joined #openstack-fwaas00:34
*** yamamoto has quit IRC00:39
openstackgerritYushiro FURUKAWA proposed openstack/neutron-fwaas master: Remove unused plugin.get_plugin_name()  https://review.openstack.org/55766900:40
*** hoangcx has joined #openstack-fwaas00:43
*** obre_ has joined #openstack-fwaas00:46
*** obre has quit IRC00:51
*** Swami has quit IRC01:15
*** yamamoto has joined #openstack-fwaas01:35
*** yamamoto has quit IRC01:41
*** yamamoto has joined #openstack-fwaas02:37
*** yamamoto has quit IRC02:43
*** yamamoto has joined #openstack-fwaas03:39
*** yamamoto has quit IRC03:45
*** yamamoto has joined #openstack-fwaas03:52
*** wkite has joined #openstack-fwaas04:22
*** wkite has quit IRC04:35
*** wkite has joined #openstack-fwaas04:36
*** wkite has quit IRC04:38
*** Swami has joined #openstack-fwaas06:07
*** AlexeyAbashkin has joined #openstack-fwaas06:38
*** Swami has quit IRC06:44
*** hoangcx has quit IRC06:47
*** hoangcx has joined #openstack-fwaas06:50
*** velizarx has joined #openstack-fwaas07:01
*** velizarx has quit IRC07:18
*** velizarx has joined #openstack-fwaas07:57
*** xgerman_ has quit IRC08:25
*** xgerman_ has joined #openstack-fwaas08:25
*** velizarx has quit IRC09:14
*** velizarx has joined #openstack-fwaas09:15
*** velizarx has quit IRC09:27
*** velizarx has joined #openstack-fwaas09:29
*** velizarx has quit IRC09:59
*** velizarx has joined #openstack-fwaas10:01
openstackgerritCuong Nguyen proposed openstack/neutron-fwaas master: [WIP] [log] Logging driver based iptables for FWaaS  https://review.openstack.org/55373810:04
*** velizarx has quit IRC12:15
*** velizarx has joined #openstack-fwaas12:37
*** piepmatz has joined #openstack-fwaas12:57
*** piepmatz has quit IRC13:00
*** piepmatz has joined #openstack-fwaas13:01
*** hoangcx_ has joined #openstack-fwaas13:05
piepmatzhi, I am trying to set up fwaas 2.0 in a dvr setup. the tempest tests are failing because the created router is distributed. when creating the firewall group the port validation fails because the port's device_owner is network:router_interface_distributed instead of network:router_interface. I am trying to understand if dvr + fwaas work together. a promising blueprint (https://blueprints.launchpad.net/neutron/+spec/neutron-dvr-fwaa13:10
piepmatzcompleted long ago, but those changes were done before version 2 existed. can anyone tell me if fwaas_v2 and dvr work in combination?13:10
piepmatz(please don't hesitate to answer when I am offline. I'll check the logs and will come back)13:36
*** wkite has joined #openstack-fwaas13:49
*** ndefigueiredo has joined #openstack-fwaas13:51
*** chandanc has joined #openstack-fwaas13:53
*** yushiro has joined #openstack-fwaas13:57
*** SridarK has joined #openstack-fwaas13:57
*** annp has joined #openstack-fwaas13:59
SridarKHi FWaaS folks13:59
chandancHello All13:59
annpHi All13:59
SridarK#startmeeting fwaas14:00
openstackMeeting started Thu Apr  5 14:00:01 2018 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
*** openstack changes topic to " (Meeting topic: fwaas)"14:00
openstackThe meeting name has been set to 'fwaas'14:00
SridarK#chair xgerman_ yushiro14:00
openstackCurrent chairs: SridarK xgerman_ yushiro14:00
xgerman_o/14:00
SridarKyushiro: i see u are on sched but u ran the mtg last time too14:00
xgerman_yeah. it’s my turn14:00
SridarKah ok14:01
SridarKpls go ahead xgerman_14:01
xgerman_#topic Announcements14:01
yushiroAh, Thanks SridarK and xgerman_14:01
*** openstack changes topic to "Announcements (Meeting topic: fwaas)"14:01
xgerman_So R-1 is in two weeks14:01
xgerman_time flies —14:01
SridarK:-)14:01
xgerman_Also if you like to use your PTG code/speaker code for Vancouver registration - deadline is 5/1114:02
SridarKHope a few folks can make it to the summit14:04
xgerman_there is some new proposal by keystone on how to do policies14:04
xgerman_https://review.openstack.org/#/c/523973/14:04
xgerman_with the goal to make it a community goal14:04
xgerman_#topic AddressGroups14:05
*** openstack changes topic to "AddressGroups (Meeting topic: fwaas)"14:05
doudehi o/14:06
SridarKI wonder if any of the submitters are here14:06
SridarKI was hoping to see them here as in the response to the email14:06
xgerman_We got approached by the OpenStack Financial Group and for them Address Groups are of uttermost importance and they filed spec14:07
xgerman_#link https://review.openstack.org/#/c/55713714:07
wkitei am here14:07
xgerman_welcome14:07
yushirowkite, Hi.  Welocome to fwaas :)14:07
SridarKah great hi wkite14:07
xgerman_Now we already had address groups in our original spec so I am questioning if we need a new spec - thoughts?14:07
SridarKI think fundamentally we are in agreement on the feature14:08
SridarKwhich is why we put it in the orig spec14:08
SridarKbut was lower priority14:08
SridarKi think to xgerman_'s point we only need to figure out the process14:09
yushiroSridarK, xgerman_ +114:09
chandanc+114:09
SridarKwould a RFE be simpler to adapt the orig proposal14:09
wkitethe address of the orion spec does not support ip range objects and multi address groups in a rule.14:10
SridarKwkite: agreed, that would be diffence with the new proposal14:11
xgerman_well, our orig. spec is two years old so having a new one puts it top of mind14:12
wkiteshould I modify the original spec?14:12
xgerman_I think we can either do the RfE or a new spec — just wanted to get consensus what works best for everybody14:13
SridarKAn RFE will be simpler with the deviation proposed14:14
SridarKbut we should discuss the additional support14:14
SridarKwkite: when do u want to target the feature implementation ?14:14
xgerman_well, there is the R-2 deadline14:15
wkitei wrote some codes for this implementation last two months.14:16
SridarKwkite: ok but are u targetting to be in the R release or in the S after this cycle ?14:16
xgerman_I would like to see it in R if possible14:17
xgerman_but with Horizon/client/neutron-lib might be too many moving parts14:17
SridarKxgerman_: +114:18
yushiroxgerman_, +1  Yes, it is not so small..14:18
wkitexgerman_: +114:18
SridarKatlease will need to have OSC14:18
yushiroSridarK, +114:18
SridarKwkite: also we will need to evaluate the driver side of things14:18
wkiteSridarK, +114:19
chandanc+114:19
SridarKmaybe for now shall we continue the conversation on the spec14:19
xgerman_+114:19
SridarKIt seems the spec may be a better place to capture the comments than an RFE14:19
xgerman_#action cores will review spec14:20
SridarKxgerman_: +114:20
yushiro+1+114:20
SridarKwkite: lets do that then - we can continue on the spec14:21
wkite+114:21
njohnston+114:21
xgerman_#topic Rocky14:21
*** openstack changes topic to "Rocky (Meeting topic: fwaas)"14:21
SridarKwkite: will u be able to attend this mtg going fwd ?14:21
wkitemtg?14:22
xgerman_our Thursday FWaaS meeting14:22
SridarKxgerman_: +114:22
wkiteno problem14:23
SridarKok great14:23
yushirowkite, http://eavesdrop.openstack.org/#Firewall_as_a_Service_(FWaaS)_Team_Meeting14:23
annp+114:24
xgerman_1. Pluggable backend driver https://review.openstack.org/#/c/480265/14:24
xgerman_I have seen doude14:24
xgerman_posting a new revision14:24
SridarKdoude: I will publish some comments soon - i am on the review14:25
yushiroI've tested doube's patch with multi-nodes14:25
xgerman_nice14:26
SridarKyushiro: great, things good ?14:26
yushiroSridarK, Yeah, but I found that there was an issue about devstack plugin.  Some configuration didn't set correctly in compute-node.14:27
doudeok xgerman_14:27
SridarKyushiro: hmm should we address that separately ?14:27
yushiroSridarK, Yes, there is no relation with this patch.14:28
doudeyushiro: I saw you post some error log in the etherpad, did you find issues?14:28
yushirodoude, Now I'm finding but I think there is no relation with this patch.14:29
doude#link https://etherpad.openstack.org/p/fwaas-pluggable-backend-testing14:29
yushirochandanc, annp Did you remember this error message??  I think that was race:  OVSFWaaSPortNotFound: Port d74ff04c-4f81-459c-9f18-0b96f81a8c3c is not managed by this agent.14:29
chandancyushiro: sorry i dont remember, but can get back14:30
doudeok yushiro14:30
yushiroannp, Can you try to deploy multi-node with master branch?  I'd like to verify this error doesn't relate to doube's patch.14:31
annpYushiro, sure. I'll do it.14:32
annpYushiro, let's discuss tomorrow.  :-)14:32
xgerman_2. [WIP] Adds remote firewall group: https://review.openstack.org/52120714:34
yushiroSridarK, in multi-node case, there was OVSFWaaSPortNotFound and changed "ERROR" status for fwg but finally will change "ACTIVE".  So, please let me check more..14:34
SridarKyushiro: ok14:35
xgerman_I am still aiming for R-2 but things have been busy14:37
SridarKxgerman_: sounds good14:38
yushiro+114:38
xgerman_3. Logging for FWaaS(SPEC): https://review.openstack.org/#/c/509725/14:38
xgerman_annp: and njohnston commented on that14:39
yushiroannp, njohnston Thanks.14:39
xgerman_+114:39
xgerman_it looks like we are close14:39
yushiroannp, You specified iptables format by using NFLOG ?14:40
annpyushiro,  you're welcome. :-)14:40
SridarKand the plan is support L3 first ?14:40
annpYushiro,  yes. What do you think about iptables structure?14:41
yushiroannp, I have some opinion.  But let's discuss after or tomorrow.14:41
annpSridark,  yes, we intend to support L3 first.14:42
SridarKannp: thx14:42
annpYushiro, ok. Let's discuss in tomorrow.14:42
yushiroIf necessary, do we need to describe "L3 first" on the spec?14:42
annpI think it should be mentioned in spec as our target in rocky14:43
SridarKyushiro: annp: i will add a comment14:44
yushiroOK14:44
annpDo you think so?:)14:44
yushiroSridarK, Thanks :)14:44
hoangcx_I don't think we need to mention that in the spec14:44
annpSridark, thanks.14:44
SridarKI think it will be good to call out the implementation phases14:45
SridarKand then we can have reno cover some of it14:45
hoangcx_+114:45
xgerman_+114:45
SridarKso we dont have to have a new spec for L214:45
yushiroAha, OK.  Thanks hoangcx_14:46
hoangcx_xgerman_: right, that is my opinion14:46
*** annp has quit IRC14:46
yushiroOK, we can define "community decision".  Anyway, let's focus on L3 logging first :)14:47
xgerman_+114:47
xgerman_code talks14:47
SridarK:-)14:47
njohnston:-)14:48
*** annp_ has joined #openstack-fwaas14:49
*** annp__ has joined #openstack-fwaas14:49
yushirowelcome14:50
annp__sorry, my connection is lost suddently. :(14:50
xgerman_4. policy-in-code: https://governance.openstack.org/tc/goals/queens/policy-in-code.html14:50
xgerman_I think this relates to the link I posted earlier14:50
yushiroyes14:51
xgerman_so if we can defer until the dust settles that would be good — otherwise we might face rework14:52
xgerman_ok, with 7 min left let’s move to14:53
xgerman_#OpenDiscussion14:54
xgerman_#topic OpenDiscussion14:54
*** openstack changes topic to "OpenDiscussion (Meeting topic: fwaas)"14:54
yushirodoude, I'll comment your patch ASAP if I finished multi-node testing.14:56
doudegreat yushiro14:56
SridarKdoude: same here - just give me a day to finish14:57
doudeok next week will be a busy week for me :)14:57
SridarKDo folks have clarity on if they can make the summit14:57
SridarKdoude: :-) yes we will push for R-114:57
yushirodoude, +busy +1 :)14:57
xgerman_I will be there at the summit14:58
yushiroNext week, we can get reply from TSP.  Hopefully I can go there but not sure now...14:58
xgerman_fingers crossed14:58
SridarKthat seems to be for everything now a days, my fingers are now realigned :-)14:59
yushiroI wish!!14:59
xgerman_yeah, they rebranded the local OpenStack meeting here as OpenInfrastructure15:00
SridarKhmm very interesting15:00
xgerman_time —15:01
yushiro:)15:01
xgerman_#endmeeting15:01
*** openstack changes topic to "Queens (Meeting topic: fwaas)"15:01
njohnstono/15:01
openstackMeeting ended Thu Apr  5 15:01:10 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:01
openstackMinutes:        http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-04-05-14.00.html15:01
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-04-05-14.00.txt15:01
SridarKBye all15:01
openstackLog:            http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-04-05-14.00.log.html15:01
piepmatznow that everyone is here, please excuse re-posting my earlier question: hi, I am trying to set up fwaas 2.0 in a dvr setup. the tempest tests are failing because the created router is distributed. when creating the firewall group the port validation fails because the port's device_owner is network:router_interface_distributed instead of network:router_interface. I am trying to understand if dvr + fwaas work together. a promising b15:01
piepmatz(https://blueprints.launchpad.net/neutron/+spec/neutron-dvr-fwaas) was completed long ago, but those changes were done before version 2 existed. can anyone tell me if fwaas_v2 and dvr work in combination?15:01
xgerman_thanks everybody15:01
yushirobye bye15:02
SridarKpiepmatz: hi15:02
*** hoangcx_ has quit IRC15:02
piepmatzSridarK: hi :)15:02
SridarKpiepmatz: i am looking into a validation issue with HA scenario15:02
doudeI could not attend the summit15:03
*** Swami has joined #openstack-fwaas15:03
*** chandanc has quit IRC15:03
piepmatzSridarK: How is HA related to this?15:04
SridarKpiepmatz: It is not15:04
SridarKpiepmatz: it is in the validation issue15:04
SridarKpiepmatz: let me work on this15:04
piepmatzSridarK: so does this mean that fwaas actually should work with dvr but at the moment some doesn't?15:05
piepmatz*somehow15:05
SridarKpiepmatz: it can only filter the N - S traffic15:05
SridarKpiepmatz: and not any E - W (as we can have assymetric routing and conntrack will have issues)15:06
piepmatzSridarK: ok, that a limitation I can live with. I was just wondering if it can work at all if the port validation accepts nothing but network:router_interface as device_owner15:07
SridarKpiepmatz: we did have some checks to ensure that N - S would always works in a DVR env15:07
piepmatzwell, what I said is not right, "compute:*" is also fine.15:08
SridarKpiepmatz: currently that is the validation in place - we do need to fix that, but let me understand if we had a change in device_owner15:09
SridarKpiepmatz: yes as we can support on L2 ports now15:09
SridarKi assume u are on Queens ?15:09
piepmatzocata :/15:09
SridarKpiepmatz: hm ok15:09
SridarKpiepmatz: le me dig more on this15:10
piepmatzwell, I also tried with the master branch, same problem15:10
SridarKpiepmatz: do u want to file a bug - or i can file one too ?15:10
piepmatzthe validation was introduced in https://review.openstack.org/#/c/323971/15:10
SridarKpiepmatz: yes15:11
*** yushiro has quit IRC15:11
piepmatzSridarK: please file it. thanks :)15:11
SridarKpiepmatz: will do15:12
*** chandanc has joined #openstack-fwaas15:12
SridarKpiepmatz: what will be the best way to reach u ?15:12
piepmatzSridarK: email: dev@matthias-bastian.de15:13
SridarKpiepmatz: got it, i will keep u posted so u can track the bug and will also send u an email so u can get a hold of me if u dont find me here15:14
piepmatzSridarK: sound good, thanks a lot!15:14
SridarKpiepmatz: no worries thx15:14
piepmatzI actually never tried the ocata release of neutron-fwaas. I started straight with the latest release on PyPI and later on the master branch. so I don't know how the problem behaves in ocata.15:17
SridarKpiepmatz: the changes with compute will only be avail from Queens onwards15:18
SridarKOcata only checks with device_owner:router_interface15:19
SridarKwhat i need to check is DVR had a change with the device_owner getting marked as router_interface_distributed15:19
SridarKI recall doing a check differently a while back to ensure that we work with DVR15:20
SridarKwill validate it15:20
piepmatzSridarK: thx again!15:21
SridarKpiepmatz: no worries at all - will get u an email late in my day (i am in US Pacific time zone)15:22
SridarKthx for bringing it up15:22
*** annp__ has quit IRC15:28
*** openstackgerrit has quit IRC15:34
*** wkite has quit IRC15:35
*** annp_ has quit IRC15:36
*** Swami has quit IRC15:54
*** velizarx has quit IRC15:56
*** AlexeyAbashkin has quit IRC16:10
*** annp has joined #openstack-fwaas16:12
*** annp has quit IRC16:13
piepmatzSridarK: in cental europe it's time to go home. have a good one!16:47
*** piepmatz has quit IRC16:47
*** ndefigueiredo has quit IRC17:00
*** SridarK has quit IRC17:17
*** SumitNaiksatam has joined #openstack-fwaas17:34
*** AlexeyAbashkin has joined #openstack-fwaas17:34
*** AlexeyAbashkin has quit IRC17:38
*** yamamoto has quit IRC19:45
*** yamamoto has joined #openstack-fwaas20:46
*** yamamoto has quit IRC20:52
*** Swami has joined #openstack-fwaas21:28
*** yamamoto has joined #openstack-fwaas21:48
*** yamamoto has quit IRC21:53
*** yamamoto has joined #openstack-fwaas22:49
*** yamamoto has quit IRC22:55
*** threestrands has joined #openstack-fwaas23:02
*** threestrands has quit IRC23:02
*** threestrands has joined #openstack-fwaas23:02
*** SumitNaiksatam has quit IRC23:26
*** yamamoto has joined #openstack-fwaas23:51
*** yamamoto has quit IRC23:57
« Wednesday, 2018-04-04 Index Friday, 2018-04-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!