Thursday, 2018-07-12

*** longkb has joined #openstack-fwaas		00:36
*** yamamoto has joined #openstack-fwaas		00:49
*** yamamoto has quit IRC		00:54
*** hoangcx has quit IRC		01:50
*** yamamoto has joined #openstack-fwaas		01:50
*** hoangcx has joined #openstack-fwaas		01:50
*** yamamoto has quit IRC		01:55
*** yamamoto has joined #openstack-fwaas		02:03
openstackgerrit	Kim Bao Long proposed openstack/neutron-fwaas master: [log] Logging driver based iptables for FWaaS https://review.openstack.org/553738	04:00
*** njohnston has quit IRC		04:07
*** reedip has quit IRC		04:07
*** njohnston has joined #openstack-fwaas		04:07
*** reedip has joined #openstack-fwaas		04:19
*** velizarx has joined #openstack-fwaas		06:56
*** velizarx has quit IRC		07:13
*** velizarx has joined #openstack-fwaas		07:22
*** yamamoto has quit IRC		07:48
*** yamamoto has joined #openstack-fwaas		08:44
*** yamamoto has quit IRC		08:50
*** yamamoto has joined #openstack-fwaas		09:46
*** yamamoto has quit IRC		09:51
*** yamamoto has joined #openstack-fwaas		10:03
*** hungpv has joined #openstack-fwaas		10:26
*** velizarx has quit IRC		10:53
*** reedip has quit IRC		10:54
*** reedip has joined #openstack-fwaas		11:07
*** velizarx has joined #openstack-fwaas		11:09
*** hungpv has quit IRC		11:20
*** longkb has quit IRC		11:34
*** yamamoto has quit IRC		13:01
*** velizarx has quit IRC		13:12
*** velizarx has joined #openstack-fwaas		13:16
*** longkb has joined #openstack-fwaas		13:18
*** yamamoto has joined #openstack-fwaas		13:28
*** yamamoto has quit IRC		13:29
*** hoangcx_ has joined #openstack-fwaas		13:32
*** yamamoto has joined #openstack-fwaas		13:34
*** yamamoto_ has joined #openstack-fwaas		13:41
*** yamamoto has quit IRC		13:41
*** hoangcx_ has quit IRC		13:50
*** SridarK has joined #openstack-fwaas		13:50
*** wkite has joined #openstack-fwaas		13:51
*** wkite has quit IRC		13:55
*** yushiro has joined #openstack-fwaas		13:55
*** annp_ has joined #openstack-fwaas		13:56
yushiro	annp hi	13:56
annp_	yushiro, hi	13:56
yushiro	I built latest devstack with logging patch. However, q-svc cannot restart with following error: global name 'server_rpc' is not defined.	13:57
yushiro	Did you hit such error?	13:57
yushiro	I just applied 3 patches and ran 'sudo python setup.py install'. After that, I restarted q-svc.service.	13:58
annp_	did you build with master branch or latest patch?	13:58
longkb	hmm	13:58
annp_	longkb, did you see the error?	13:59
yushiro	deployed devstack with master branch, after that I applied each patches as longkb described on github.	13:59
longkb	yushiro, could you show me your error log?	13:59
longkb	I did not meet this error before	13:59
SridarK	Hi FWaaS folks	13:59
SridarK	shall we continue in the mtg	13:59
annp_	yushiro, longkb can we discuss later?	14:00
yushiro	Hi SridarK :)	14:00
SridarK	#startmeeting fwaas	14:00
annp_	hi SridarK	14:00
openstack	Meeting started Thu Jul 12 14:00:06 2018 UTC and is due to finish in 60 minutes. The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.	14:00
yushiro	annp_, Yeah, later is better.	14:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	14:00
*** openstack changes topic to " (Meeting topic: fwaas)"		14:00
longkb	hi SridarK	14:00
openstack	The meeting name has been set to 'fwaas'	14:00
SridarK	#chair yushiro xgerman_	14:00
openstack	Current chairs: SridarK xgerman_ yushiro	14:00
SridarK	Just got back from long PTO	14:00
yushiro	Welcome back, SridarK :)	14:00
SridarK	sorry could not stay on top of things completely but caught up on logs	14:00
SridarK	so let me do my turn today	14:01
SridarK	thx xgerman_ and yushiro	14:01
yushiro	OK	14:01
xgerman_	o/	14:01
longkb	+1 SridarK	14:01
SridarK	#topic announcements	14:01
*** openstack changes topic to "announcements (Meeting topic: fwaas)"		14:01
SridarK	we are getting close	14:01
SridarK	but seems like things are chugging along, lets get to updates quickly so we can focus on the patches	14:02
SridarK	#topic FWaaS logging	14:02
*** openstack changes topic to "FWaaS logging (Meeting topic: fwaas)"		14:02
SridarK	#link https://review.openstack.org/#/c/529814/	14:02
SridarK	#link https://review.openstack.org/#/c/553738/	14:02
SridarK	annp_: longkb pls go ahead	14:03
longkb	Thanks SridarK	14:03
*** wkite has joined #openstack-fwaas		14:03
SridarK	yushiro: i think u were just asking just as we started too	14:03
longkb	I draft a review plan for fwaas logging. You guys can check it in https://etherpad.openstack.org/p/Logging_service_for_FWaaS_review_plan	14:04
longkb	I also mark the order for review these patches	14:04
yushiro	SridarK, yeah, longkb explains about how to test.	14:04
SridarK	longkb: ah thx - very informative	14:04
SridarK	so we have dependencies on the neutron patches	14:05
longkb	thanks SridarK, yushiro	14:05
longkb	yep	14:05
SridarK	do u think the neutron patches will make it in time ?	14:05
longkb	annp_: how to you think?	14:06
annp_	longkb, that's great	14:06
yushiro	SridarK, Currently, I think these patches in neutron are OK except some nits. However, it's better to ask Miguel for FFE.	14:06
SridarK	yushiro: ok	14:07
annp_	yushiro +!	14:07
annp_	SridarK, +!	14:07
longkb	annp_, yushiro: +1	14:07
yushiro	And annp_ will ask Miguel and Jakub :)	14:07
SridarK	yushiro: so we will need an FFE for the FWaaS side as well	14:07
SridarK	if we have a dependency	14:07
yushiro	SridarK, Aha, yes.	14:07
annp_	yushiro, I will ask Miguel in next neutron meeting for FFE	14:08
SridarK	annp_: +1	14:08
SridarK	Do we need all 3 neutron patches to merge before merging any patch on FWaaS side ?	14:08
yushiro	I think YES. annp_ longkb , right?	14:09
longkb	SridarK: I think neutron patches should be merged first	14:09
annp_	Sriark, yushiro, right. We need 3 patches to get merge first.	14:09
SridarK	ok so we will need 3 patches in neutron and 8 patches in FWaaS to merge on FFE	14:10
annp_	Sridark, So please help us to review it. :)	14:10
SridarK	annp_: yes on it will work on it today	14:10
longkb	thanks SridarK	14:10
annp_	SridarK, Thanks a ton!	14:10
SridarK	ok do u want to discuss any other issues here	14:11
annp_	SridarK, please go ahead	14:12
yushiro	annp_, longkb As I said before, for testing perspective, in FWaaS side patches, do we need to add dependencies?	14:12
SridarK	i think if we document our test results in a similar manner to the review plan (which is great) - we make our chances better for FFE	14:12
yushiro	SridarK, +10 I think so.	14:12
annp_	SridarK, +10.	14:13
longkb	SridarK, +10	14:13
SridarK	Is that a 10 decimal or binary ? :-) (I am trying to be like yushiro ) :-)	14:13
*** velizarx has quit IRC		14:14
SridarK	ok lets move on - i think we have a plan	14:14
yushiro	SridarK, Hahaha :p	14:14
SridarK	and now that i am back from PTO - i will also work on reviews	14:14
xgerman_	sweet	14:14
SridarK	#topic Remote FWG	14:14
*** openstack changes topic to "Remote FWG (Meeting topic: fwaas)"		14:14
SridarK	xgerman_: pls go ahead	14:14
SridarK	#link https://review.openstack.org/#/c/521207/	14:15
xgerman_	Most of it is done but I am at my wits end with ovs…	14:15
xgerman_	not sure how to debug that effectively :-(	14:15
SridarK	sigh - let me also reach out chandanc and annp is here too	14:16
xgerman_	thanks — yeah, I could probably figure it out but I also have other priorities which eat up my time :-(	14:16
SridarK	xgerman_: yes indeed totally understand	14:16
annp_	xgerman_, I have a question: There is no DENY action for each remote group rule?	14:17
xgerman_	mmh, I thought I had deny	14:17
annp_	xgerman_, I mean there are only ALLOW action for remote group rule, right?	14:17
xgerman_	they are just a way to describe a group of ports so deny is plausible	14:18
xgerman_	or more general we should support all actions	14:18
annp_	xgerman_, OK. I got it.	14:20
yushiro	remote_group_id allows from all neutron ports which is associated with its firewall_group, right?	14:20
yushiro	oops, sorry. remote_firewall_group_id.	14:20
annp_	xgerman_, So we only support action "Allow" in remote group rule ATM?	14:20
xgerman_	I can see also a use case where you would deny certain traffic from those ports	14:20
annp_	xgerman_, right?	14:20
xgerman_	I am confused then - I thought remote FWG is another way to describe ports and it’s independent of the action	14:21
SridarK	We should probab be in line with Remote SG here	14:21
SridarK	And the action is another attribute in the rule (which is independent)	14:22
xgerman_	aka if I have a remote FWG describing web servers I would want to only allow certain traffic from there to a database and block the rest	14:22
xgerman_	SridarK: +1	14:22
annp_	SridarK, +1	14:23
annp_	xgerman_, I got it. Thanks.	14:23
yushiro	Aha, if we use remote_fwg_id like SG, it means 'allow traffic from neutron ports'. However, we can also extend to use as 'deny' as SridarK said.	14:23
xgerman_	yep, or drop	14:24
yushiro	xgerman_, I see :)	14:24
SridarK	I am not sure maybe we want alignment with SG - so there is no confusion with users	14:24
SridarK	*for users	14:24
annp_	SridarK, +100	14:25
xgerman_	yeah, the simple case should align + more advanced users should get more latitude	14:25
yushiro	xgerman_, I think it's OK to support 'allow' first like SG. After that, we can also support 'drop' case :)	14:25
xgerman_	+1	14:25
yushiro	step by step :p	14:25
yushiro	Yeah	14:25
SridarK	xgerman_: ah yes exactyl what yushiro says	14:25
annp_	SridarK, +1	14:26
xgerman_	+1	14:26
annp_	xgerman_, please go ahead	14:29
xgerman_	yeah, the other two pieces are done (client + plugin)	14:30
SridarK	ok cool xgerman_ - i reached out to chandan too - if we can leverage some of his scripts for ovs debugging (i recall he had some things)	14:30
xgerman_	that would be great!!	14:30
SridarK	ok cool - lets move on	14:30
xgerman_	+1	14:30
yushiro	+1	14:30
annp_	+1	14:31
SridarK	#topic Bugs	14:31
*** openstack changes topic to "Bugs (Meeting topic: fwaas)"		14:31
SridarK	#link https://bugs.launchpad.net/neutron/+bug/1762454	14:31
openstack	Launchpad bug 1762454 in neutron "FWaaS: Invalid port error on associating ports (distributed router) to firewall group" [Medium,In progress] - Assigned to Yushiro FURUKAWA (y-furukawa-2)	14:31
SridarK	yushiro: thanks for picking this up	14:31
SridarK	some history - i had talked to	14:31
yushiro	You're welcome.	14:31
yushiro	OK	14:32
SridarK	swami before i left on PTO - i think we are good on the DVR side - i wanted to verify the ns implications where rules are applied	14:32
SridarK	but i had concerns on the HA side	14:32
SridarK	the validation check is easy but operationally i have some concerns	14:33
SridarK	hence i was a bit unsure - as it requires some thorough verification	14:33
SridarK	yushiro: not sure if u have more data on it	14:33
yushiro	SridarK, I just checked 'device_owner' of each case and namespace structure.. Not tested yet.	14:34
SridarK	yushiro: ok	14:34
yushiro	each case means 1. DVR, 2. L3-HA 3.DVR + L3-HA	14:34
SridarK	yushiro: ok lets talk offline on it to make sure we have no issues	14:35
SridarK	I was good with (1) but (2) & (3) have some concerns on datapath	14:35
SridarK	yushiro: will sync up with u more on it	14:35
yushiro	SridarK, OK, thanks.	14:36
SridarK	any other bugs needing discussion	14:36
annp_	SriarK, Hi	14:36
SridarK	annp_: pls go ahead	14:36
annp_	In order to support wsgi server for neutron, there is a issue related fwaas rpc as http://lists.openstack.org/pipermail/openstack-dev/2018-June/131722.html	14:37
annp_	I and zigo try to fix that at https://review.openstack.org/#/c/580327/	14:37
*** hongbin has joined #openstack-fwaas		14:37
zigo	o/	14:38
annp_	and https://review.openstack.org/#/c/579433/	14:38
zigo	I can confirm that the patch from annp_ works very well.	14:38
SridarK	ah yes	14:38
zigo	I would very much warmly welcome merging, that one plus the other wsgi patches for Neutron itself.	14:38
annp_	zigo, Thanks zigo.	14:38
SridarK	annp_: zigo perfect many thx	14:39
xgerman_	+1	14:39
SridarK	will do	14:39
annp_	+10	14:39
yushiro	annp_, zigo Thanks. In order to check these behavior, do we need 2 patches (neutron + neutron-fwaas)	14:39
SridarK	is there a dependency we need to be aware off ?	14:39
zigo	I didn't check the v2 one though, only v1...	14:39
annp_	yushiro, actually these patch doesn't depend on neutron.	14:40
SridarK	annp_: ok	14:40
annp_	zigo, Could you please help us to verify with v2?	14:40
SridarK	will review	14:40
annp_	SridarK, thanks!	14:41
yushiro	annp_, You mean, if we apply https://review.openstack.org/#/c/580327/ and deploy devstack. Then, we can check q-svc's status, right?	14:41
yushiro	oops, strange english ...	14:42
annp_	yushrio, off-course!	14:42
yushiro	OK, will try it as well.	14:42
zigo	yushiro: You need 1/ the fix for neutron to load properly using neutron-api + neutron-rpc-server at https://review.openstack.org/#/c/555608/	14:42
zigo	2/ load neutron using uwsgi (if you're with devstack, some of these will help: https://review.openstack.org/#/c/580049/ https://review.openstack.org/#/c/473718/ )	14:42
zigo	3/ the fwaas patches: https://review.openstack.org/#/c/580327/ https://review.openstack.org/#/c/579433/	14:42
zigo	All of these need to be merged.	14:42
zigo	Yeah, that one too... https://review.openstack.org/#/c/580327/	14:43
yushiro	zigo, Thanks. Do I need to edit some config file ?	14:43
zigo	yushiro: If you're with devstack, I'm not sure, I do Debian packages integration, in my setup, it just work.	14:43
annp_	zigo, These step is necessary if yushiro want to deploy neutron-api under uwsgi. otherwise we don't need.	14:43
zigo	yushiro: You can also just run Debian with puppet-openstack and it will setup everything for you automatically, though that's going to be Queens ...	14:44
yushiro	zigo, I usually use devstack :p But thanks :)	14:44
zigo	Right.	14:44
annp_	yushrio, you can try with devstack by https://review.openstack.org/#/c/473718/	14:44
yushiro	zigo, Aha!! I had asked you same question ..	14:44
yushiro	annp_, Thanks.	14:45
annp_	yushrio, you should pull dow the patch and modify a bit https://review.openstack.org/#/c/473718/31/lib/neutron-legacy@94	14:46
SridarK	Sounds good then we will target these 2 patches	14:46
annp_	NEUTRON_DEPLOY_MOD_WSGI should be set True	14:46
yushiro	annp_, +1 . BTW, my name is yushiro. Haha :p	14:47
*** wkite has quit IRC		14:47
annp_	yushiro, oh, I'm so sorry. :)	14:47
SridarK	Although yushrio - has a nice ring to it too :-)	14:47
yushiro	:)	14:47
yushiro	annp_, no warries	14:48
SridarK	ok lets move on	14:48
annp_	yushiro: thanks. :)	14:48
SridarK	#topic Address Groups	14:48
*** openstack changes topic to "Address Groups (Meeting topic: fwaas)"		14:48
annp_	SridarK, thanks!	14:48
SridarK	oh looks like wkite is no longer here	14:48
yushiro	Oh, I couldn't reach out miguel this week..	14:49
SridarK	yushiro: i will msg him	14:49
yushiro	SridarK, Thank you so much.	14:49
SridarK	more time zone aligned	14:49
SridarK	hopefully we can get a +A	14:49
SridarK	else it will be in S	14:50
SridarK	#topic Open Discussion	14:50
*** openstack changes topic to "Open Discussion (Meeting topic: fwaas)"		14:50
SridarK	CFP closes soon	14:50
xgerman_	yep	14:51
SridarK	annp_: u think u may be able to pull together something for L7 ?	14:51
SridarK	not sure if u had too much time to go thru it	14:51
SridarK	annp_: if u think u want to do something - we can talk on some possibilities	14:51
yushiro	+1	14:52
annp_	SridarK, yeah. I'd like to propose this for CFP. Do you want to become a speaker?	14:52
SridarK	annp_: lets talk more - sure i can help out	14:53
SridarK	annp_: but lets have a plan on the content	14:53
SridarK	annp_: lets talk offline	14:53
annp_	SridarK, Yes. lets sync up via email.	14:53
SridarK	annp_: +1	14:54
annp_	SridarK, I also want to propose this topic for vietnam openstack day :)	14:54
yushiro	annp_, Sounds good :)	14:54
SridarK	annp_: ok good	14:54
xgerman_	+1	14:54
longkb	+1 annp_	14:55
annp_	SridarK, yushiro, xgerman_m thanks! :)	14:55
annp_	longkb, thanks!	14:55
SridarK	ok if nothing else we can end	14:56
SridarK	Thx all for joining	14:56
yushiro	Thanks!!	14:56
SridarK	bye	14:56
longkb	bye guys	14:56
annp_	thanks all. See you	14:56
SridarK	#endmeeting	14:56
*** openstack changes topic to "Queens (Meeting topic: fwaas)"		14:56
openstack	Meeting ended Thu Jul 12 14:56:43 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	14:56
openstack	Minutes: http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-07-12-14.00.html	14:56
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-07-12-14.00.txt	14:56
openstack	Log: http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-07-12-14.00.log.html	14:56
annp_	yushiro, longkb, hi	14:57
yushiro	hi	14:57
longkb	hi annp_	14:57
annp_	yushiro, can you show me your log when you devstack with logging patch?	14:57
yushiro	sorry, I missed rebasing. I just removed some import line.	14:58
yushiro	Now, q-svc can run. Now, I'm trying to create some resources.	14:58
annp_	yushiro, wow, OK. :)	14:58
yushiro	I have 1 bug ( not related logging)	14:59
annp_	yushiro, What is your bug?	15:00
yushiro	If we applied a router port into default firewall_group, its status still 'INACTIVE'.	15:00
longkb	yushiro +100	15:00
longkb	firewall group status is not stable, I think	15:01
annp_	yushiro, hm I didn't play with this scenario.	15:01
yushiro	longkb, status logic is a little different b/w L3 and L2.	15:01
annp_	yushiro, yes. So I think we should do some improve the logic of set_firewall_group_status	15:02
longkb	hmm, I think I should study more about fwaas :)	15:03
yushiro	I'll try to solve this bug. BTW, did you check log data is outputted into /var/log/syslog?	15:03
annp_	yushiro, today, longkb had checked but we didn't see any log data in /var/log/syslog in his environment.	15:04
yushiro	longkb, If we associate L2 port with fwg, fwg's status is computed by _compute_status() in fwaas_v2.py.	15:05
annp_	yushiro, So tomorrow, I'll debug that. Anyway, please help me to check log data in /var/log/syslog.	15:06
yushiro	longkb, In order to be 'ACTIVE', fwg needs ('ingress_firewall_policy_id' or 'egress_firewall_policy_id') and fwg port	15:06
longkb	yushiro: +1 I got it.	15:07
annp_	yushiro, longkb, I have to go out now. So see you tomorrow.	15:08
yushiro	annp_, Thanks. See you.	15:08
longkb	G9 annp_	15:09
annp_	yushiro, longkb, thanks and G9 :)	15:09
*** annp_ has quit IRC		15:09
yushiro	longkb, For L3 port, if we create/update with fwg port and 'admin_state_up' is UP, then changed into 'ACTIVE'. In other word, in L3 logic doesn't care 'ingress/egress_firewall_policy_id'.	15:10
longkb	hmm, I can see the difference bw L2 and L3	15:12
yushiro	So, it's better to align with same logic for L2.	15:14
longkb	+1 yushiro :D	15:18
longkb	I have to off now. See you tomorrow	15:19
*** longkb has quit IRC		15:21
*** yamamoto_ has quit IRC		15:24
*** yushiro has quit IRC		15:50
*** yamamoto has joined #openstack-fwaas		16:12
*** yamamoto has quit IRC		16:42
*** chandanc has joined #openstack-fwaas		17:03
chandanc	hello xgerman_	17:06
xgerman_	hi	17:06
chandanc	Hello, do you have nay specific issue you want me to look at ?	17:08
chandanc	i did not see any driver code change in the patch	17:09
xgerman_	https://review.openstack.org/#/c/564888/10	17:09
chandanc	ok	17:09
xgerman_	this is the OVS patch — I made it run without spying errors but I have trouble figuring out why it doesn’t do what I want it to do	17:10
chandanc	oh ok	17:10
xgerman_	yeah, not sure how to debug it…	17:12
*** SridarK has quit IRC		17:13
chandanc	sorry i am abit out of touch, do you have the spec for remoteFWG ?	17:18
chandanc	xgerman_: i will logout now, will go through the patch and get back , if you have the spec handy please share with me.	17:22
xgerman_	https://specs.openstack.org/openstack/neutron-specs/specs/mitaka/fwaas-api-2.0.html	17:23
xgerman_	it’s the original spec	17:23
chandanc	thanks xgerman_ catch you seeon	17:28
*** chandanc has quit IRC		17:28
xgerman_	thx	17:34
*** yamamoto has joined #openstack-fwaas		17:43
*** yamamoto has quit IRC		18:00
*** SridarK has joined #openstack-fwaas		18:02
*** SridarK has quit IRC		18:19
*** SridarK has joined #openstack-fwaas		18:26
*** SridarK has quit IRC		23:16
*** hongbin has quit IRC		23:19

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!