Thursday, 2018-08-16

« Wednesday, 2018-08-15 Index Friday, 2018-08-17 »
*** longkb has joined #openstack-fwaas00:55
*** velizarx has joined #openstack-fwaas08:16
*** openstackgerrit has joined #openstack-fwaas08:55
openstackgerritNguyen Phuong An proposed openstack/neutron-fwaas master: Should forward only first accepted packet to table 91 and 92  https://review.openstack.org/59189008:55
*** longkb has quit IRC10:04
*** velizarx has quit IRC12:35
*** velizarx has joined #openstack-fwaas12:40
*** yushiro has joined #openstack-fwaas13:30
yushiroannp, ping13:30
yushiroannping13:30
*** annp_ has joined #openstack-fwaas13:36
*** wkite has joined #openstack-fwaas13:38
reedipannp_ yushiro is pinging you :)13:46
yushiroreedip, Haha, thanks :)13:46
annp_hi reedip13:50
annp_hi yushiro13:50
yushiroHi annp_ .  I checked and added more testcases regarding state transition: https://docs.google.com/spreadsheets/d/1Z_3h2Fqffz8Zjr6PHrMxBrx210jM7TtPDAFvSJtUXzg/edit#gid=013:51
yushiroThanks for testing13:52
annp_yushiro, you're welcome.13:53
yushiroannp_, Some testcases are different 'expected state'.  e.g. Update(removing 'egress_policy')13:54
yushiroLet's today's meeting.13:55
yushiros/Let's/Let's discuss13:55
annp_yushiro, ah,13:57
annp_let's me ask tuanvc for updating some incorrect expected state.13:57
*** reedip is now known as reedip|afk13:58
yushiroannp_, Sure.  Does he join today's meeting?13:58
amotokiyushiro: osc-lib 1.11.1 was released14:00
annp_yushiro, let's me check. Today is upgrade meeting. So he may join this meeting14:00
yushiroamotoki, Hi.  Wow, OK.  I just wonder why pytyon-neutronclient test has passed with no depending osc-lib 1.11.1 :p14:01
yushiroHi FWaaS folks14:01
yushiroLet's begin the meeting.14:01
*** SridarK has joined #openstack-fwaas14:01
SridarKHi FWaaS folks14:01
yushiro#startmeeting fwaas14:01
annp_hi SridarK14:01
openstackMeeting started Thu Aug 16 14:01:34 2018 UTC and is due to finish in 60 minutes.  The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.14:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:01
*** openstack changes topic to " (Meeting topic: fwaas)"14:01
njohnstono/14:01
openstackThe meeting name has been set to 'fwaas'14:01
yushiroHi SridarK14:01
annp_Hi Nate14:01
yushiro#chair SridarK14:02
openstackCurrent chairs: SridarK yushiro14:02
SridarKyushiro: today my turn i think ?14:02
yushiroSridarK, Yes, please :)14:02
SridarKok :-)14:02
SridarK#topic Rocky14:02
*** openstack changes topic to "Rocky (Meeting topic: fwaas)"14:02
SridarKThx to all for getting the FWaaS Logging patches in14:03
yushiroSridarK, Thank you too.  I really appreciate.14:03
annp_thank you a lot, SridarK.14:03
SridarKNo issues at all - yushiro annp_ longkb hoangcx - u all did a great job14:04
njohnstoncongrats - you did great work!14:04
yushiroThanks njohnston.  :)14:04
reedip|afk\o/14:04
SridarKAre there any other things that need attention14:04
annp_SridarK, njohnston: you too.14:04
annp_SridarK, I'd like to share with you some regression test between firewall and firewall logging14:05
SridarKannp_: yes i was going to ask abt that :-)14:05
annp_Here is our test result: https://etherpad.openstack.org/p/firewall-logging14:05
yushiroThis is the same URL that I wrote down at the agenda.14:06
annp_yushiro, thanks.14:06
annp_let's me summary:14:07
SridarKthx annp_14:07
yushiroOK.14:07
SridarKso we have one issue14:07
annp_1. almost case for allow/drop with L3 port work fine.14:07
SridarKsorry annp_ go ahead14:08
annp_2. almost case for allow/drop with L2 port if we didn't enable L2 logging extension work fine.14:08
annp_3. There one issue related to case when enable L2 logging extension as I declared at case 3 in the link.14:09
yushiroannp_, You mean 'almost' is 'all', right?14:10
*** longkb has joined #openstack-fwaas14:10
annp_yushiro, yes.14:10
annp_yushiro, in other word, so far so good. :)14:10
longkbo/14:10
longkbSorry, I am late14:11
yushirolongkb, welcome home :)14:11
longkbthanks yushiro :D14:11
yushiroannp_, I see.  Ok, that is same understanding.14:11
SridarKso if we have sg logging and fwaas logging enabled we have an issue14:11
SridarKalthough with fwaas logging we only support L314:11
SridarKports14:11
annp_SridarK, yes.14:11
longkb+1 SridarK14:12
yushiroSridarK, yes, you're right.14:12
annp_SridarK, I and longkb already putted patches to fix that14:12
SridarKand u have patches in flight (sorry i had some PTO so not completely on top)14:12
SridarKannp_: +114:12
annp_https://review.openstack.org/#/c/591918/14:13
annp_https://review.openstack.org/#/c/591978/14:13
SridarKgot it14:13
yushiroIn addition, 1 follow up patch: https://review.openstack.org/#/c/590682/14:13
annp_SridarK, yushiro, We also need patch https://review.openstack.org/#/c/590682 to make logging work perfect. :)14:14
SridarKok thx yushiro14:14
yushiroI think https://review.openstack.org/#/c/590682/ needs to be backported into stable/rocky if possible.14:14
SridarKand annp_14:14
yushiroSorry annp_ .14:14
yushiroannp_, We've duplicated :p14:14
SridarK:-)14:15
annp_yushiro, ah. :)14:15
SridarKok sounds good we can track these14:16
annp_yushiro, Do you want to say something regards to some crazy bug at logging topic or later for bug topic14:16
SridarKlets go on to bugs then if we are done here14:16
annp_SridarK, thanks.14:16
yushiroSridarK, annp_ +1  OK.14:16
SridarKok14:16
yushiroannp_, I'll explain about this bug :)14:16
longkbgot it :D14:17
SridarK#topic bugs14:17
*** openstack changes topic to "bugs (Meeting topic: fwaas)"14:17
longkboh14:17
SridarKyushiro: pls go ahead14:17
yushiroRegarding annp_ , longkb and tuanvc's great testing, we've clarified known bug14:17
yushiroThe bug was 'state transition of firewall group'.14:18
longkbI found another crazy bug on FW Dashboard too: https://docs.google.com/spreadsheets/d/1Z_3h2Fqffz8Zjr6PHrMxBrx210jM7TtPDAFvSJtUXzg/edit#gid=142986085514:18
yushirolongkb, Yes, thank you.14:18
yushiroSridarK, This is draft version of testcases for state transition: https://docs.google.com/spreadsheets/d/1Z_3h2Fqffz8Zjr6PHrMxBrx210jM7TtPDAFvSJtUXzg/edit#gid=014:19
yushiroI'd like to clarify again about 'state definition of firewall group'.14:20
SridarKok hmm interesting we dont land up at correct status14:20
SridarKfor some updates14:20
yushiroSridarK, Yeah.14:21
yushiroThe most important point is 'what is "ACTIVE" state for firewall group?'14:22
annp_yushiro, +114:22
yushiroIn my understanding,  ACTIVE:  has ingress or egress_firewall_policy and has at least 1 port and admin_state_up is 'UP'14:22
SridarKyushiro: yes14:22
yushiroDOWN: admin_state_up is 'DOWN'14:23
annp_yushiro, SridarK, Is there any document related to fwg state?14:23
SridarKyushiro: yes14:23
SridarKannp_: not sure if we have something14:23
yushiroannp_, In my memory, we've discussed on IRC meeting only since previous cycle.14:24
annp_SridarK, yushiro, ok. So let's make the document about that14:24
SridarKbut basically, INACTIVE means that we dont have a port or policy or both - to distinguish from DOWN14:24
SridarKannp_: +114:25
yushiroannp_, +114:25
yushiroSridarK, Yes, I agree with you.      INACTIVE: has ingress or egress_firewall_policy and no port  or no ingress or egress_firewall_policy and at least 1 port  and admin_state_up is 'UP'14:25
yushiroooops, difficult fot document..14:26
amotokido we need to reflect admin_state(_up) to status?14:26
SridarKyes some cleanup is needed14:26
amotokiin neutron port, admin_state UP and status ACTIVE means a port itself can work but it is disabled14:27
yushiroamotoki, DOWN ?14:27
-amotoki- is looking at the code14:28
amotokithere is a case where port status is DOWN and admin state is UP14:28
amotokiI might be wrong....14:28
SridarKI think this needs some cleanup - i just added an item to our list14:29
yushirocurrent impl, firewall group depended on 'admin_state_up' with own 'status'.  If admin_state_up is 'DOWN', then the status of firewall group changed into 'DOWN'14:29
yushiroSridarK, Thanks.14:29
annp_SridarK, ++14:29
SridarKamotoki: i think as yushiro says14:29
amotokiSridarK: yeah14:29
SridarKi think we need to look at this more and align better with neutron as well14:30
amotokithere is no clear guideline on what we should change 'status' attr when admin_state is changed..14:30
amotokiIIRC network and port have different behaviors14:30
SridarKannp_: let me take an action and document current behavior and we start a thread on clean up14:30
annp_SridarK, yeah.that's sound great!14:31
SridarKwe are a bit unique also in what we need to do if a fwg is associated with multiple ports and one of them is down or admin down14:31
SridarKso that area needs some thought too14:31
annp_SridarK, thanks.14:31
yushiroOK.14:32
yushiroI thought that firewall group was referring router's state transition but it was different..  There is no relation b/w admin_state_up and status for router.14:33
SridarKyushiro: sorry multitasking in another mtg14:34
yushiroIn case of router, if 'admin_state_up' is down, the namespace has been removed.  If we refer router's behavior, all firewall rules should be removed if we changed admin_state_up into 'DOWN'.  That is one example..14:35
yushiroSridarK, never mind :)14:35
annp_yushiro, SridarK, I think we can discuss via email14:35
yushiroannp_, +114:35
SridarKyushiro: i agree14:36
SridarKhere there are bugs and also handling multiple ports case14:37
yushiroYeah, at first, let's summarize current behavior and sync up with fwaas members.14:37
annp_yushiro, ++14:38
SridarKyushiro: +114:38
yushiroSridarK, OK, that's all from me :)14:39
SridarKok sounds good14:39
annp_longkb, your turn :)14:39
longkb+1 annp14:40
longkbI make a statistic related to FW rules updating from FW Dashboard. Please look at this doc: https://docs.google.com/spreadsheets/d/1Z_3h2Fqffz8Zjr6PHrMxBrx210jM7TtPDAFvSJtUXzg/edit#gid=142986085514:41
longkbThe value will return to default value if we do not choose again during FW rule updating14:42
amotokiit seems the first step is to check what body is passed as a request to neutron server and what is returned as a response from the neutron API.14:43
yushiroamotoki, +1  longkb I think checking request body is necessary as well.14:44
longkb+1 amotoki, yushiro :D14:44
amotokilongkb: could you file a bug to neutron-fwaas-dashboard so that all can track it?14:45
longkbamotoki: sure. I will report this bug tomorow :D14:45
SridarK+114:46
annp_+114:46
yushiroSridarK, Can I put bug-report regarding state transition as well?14:46
SridarKlongkb: good catch - possibly some regression14:46
longkbthanks SridarK14:47
SridarKyushiro: we shd sync up on the issue with HA/DVR Ports14:49
yushiro#link https://bugs.launchpad.net/neutron/+bug/175977314:50
openstackLaunchpad bug 1759773 in neutron "FWaaS: Invalid port error on associating L3 ports (Router in HA) to firewall group" [Undecided,Confirmed] - Assigned to Sridar Kandaswamy (skandasw)14:50
SridarKas we last discussed we need to get some clarification from the L3HA team14:50
yushiroSridarK, Yes.  However, I haven't discussed with them yet..14:51
SridarKyushiro: in ur last round of tests - it seemed like the rules were not applied appropriately14:51
SridarKyushiro: ok no issues - lets discuss more offline14:52
SridarKI think thats all we had on this topic14:52
SridarKlets move on14:52
yushiroSridarK, yes.  Even if we could associate FWG with HA port, the firewall rule has applired into 'standby' router.14:52
SridarKyushiro: +114:52
SridarKit seemed like this is something we need to handle14:53
SridarK#topic Open Discussion14:53
*** openstack changes topic to "Open Discussion (Meeting topic: fwaas)"14:53
yushiroSridarK, Yes, whether we should handle or abstruct from L3-HA layer.14:53
SridarKyushiro: yes exactly14:54
yushiroTomorrow, I'll send e-mail to ML about this issue.14:54
yushiro#action yushiro will send ML about L3-HA issue14:54
SridarKyushiro: sounds good - or we can attend the L3 mtg and discuss there14:55
SridarKi think that may be more useful - so we can debug it quickly with the L3 team14:55
yushiroSridarK, yes.  Maybe after this meeting ?  will check it :)14:55
SridarKyushiro: ok14:56
amotokiIIRC there is no L3 meeting this week14:56
SridarKoh yes it was cancelled14:56
SridarKyushiro: then next week14:56
yushiroTuesday at 1500 UTC in #openstack-meeting14:56
amotokihttp://lists.openstack.org/pipermail/openstack-dev/2018-August/133129.html14:56
yushiroSridarK, OK, thanks.14:56
SridarKyushiro: i will ping u during ur day time and lets discuss b4 we attend the L3 mtg14:57
yushiroamotoki, Thanks akihiro14:57
yushiroSridarK, OK, thanks.14:57
SridarKi think it shd be quick IMO - we just need a specific clarification14:57
SridarKok if nothing else we can close out ?14:57
SridarKThx all for joining14:58
SridarKhave a great week14:58
yushiroSridarK, Yes, we'are asking from Chris and Hyunsun14:58
yushiroThanks all.14:58
annp_SridarK, you too14:58
SridarK#endmeeting14:58
*** openstack changes topic to "Queens (Meeting topic: fwaas)"14:58
openstackMeeting ended Thu Aug 16 14:58:51 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:58
openstackMinutes:        http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-08-16-14.01.html14:58
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-08-16-14.01.txt14:58
openstackLog:            http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-08-16-14.01.log.html14:58
annp_Thanks all, bye14:59
yushiroChris... Chris Wright!! Aha, my friends :)14:59
longkbbye guys :d14:59
*** annp_ has quit IRC14:59
yushiroSridarK, do we need to reply on launchpad regarding L3-HA ?14:59
SridarKyushiro: hmm ok lets talk during ur morn15:00
SridarKso we have some plan and we can update accordingly15:00
yushiroSridarK, OK. So, we should reply the results after discussing L3-meeting, shouldn't we?15:00
SridarKmy concern is we rush and land up opening a security hole15:01
SridarKyushiro: +115:01
SridarKI will ping u during ur morn time15:01
SridarKlets discuss some more15:01
yushiroSridarK, That's correct.  Thanks.  So,  I'll wait for this reply.15:02
SridarKyushiro: also we can discuss the current patches in flight15:02
SridarKfor logging15:02
*** longkb has quit IRC15:02
SridarKin terms of what needs to land in stable/rocky15:02
SridarKok it is very late for u - lets talk more during ur morn15:02
SridarKGN yushiro15:03
yushiro SridarK Thanks.  gn :)15:03
SridarKbye15:03
yushiroping doude15:04
*** yushiro has quit IRC15:08
*** wkite has quit IRC15:10
openstackgerritAkihiro Motoki proposed openstack/neutron-fwaas-dashboard master: Drop nose dependencies  https://review.openstack.org/59253915:11
*** velizarx has quit IRC15:11
*** yushiro has joined #openstack-fwaas15:17
yushiroLimeChat入れてみました。やっと日本語打てます15:18
yushiroOops, sorry15:18
*** yushiro has quit IRC15:19
*** longkb has joined #openstack-fwaas15:21
*** longkb has quit IRC15:22
*** longkb has joined #openstack-fwaas15:34
openstackgerritAkihiro Motoki proposed openstack/neutron-fwaas-dashboard master: Drop nose dependencies  https://review.openstack.org/59253915:47
*** longkb has quit IRC16:00
*** longkb has joined #openstack-fwaas16:05
*** SumitNaiksatam has joined #openstack-fwaas16:20
*** longkb has quit IRC16:28
*** SridarK has quit IRC16:31
*** openstackgerrit has quit IRC16:49
*** doude has quit IRC17:31
*** njohnston has quit IRC23:27
*** njohnston has joined #openstack-fwaas23:28
« Wednesday, 2018-08-15 Index Friday, 2018-08-17 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!