04:00:05 <njohnston> #startmeeting fwaas 04:00:06 <openstack> Meeting started Wed May 25 04:00:05 2016 UTC and is due to finish in 60 minutes. The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot. 04:00:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 04:00:09 <openstack> The meeting name has been set to 'fwaas' 04:00:18 <njohnston> #chair SridarK_ 04:00:18 <openstack> Current chairs: SridarK_ njohnston 04:00:26 <njohnston> Hi everyone 04:00:34 <chandanc> Hello All 04:00:39 <SarathMekala> Hi 04:00:41 <mickeys> Hi 04:00:44 <mfranc213> hi 04:00:53 <SridarK_> lets get started - i see most folks are on 04:01:00 <shwetaap> hello 04:01:21 <njohnston> #topic Announcements 04:01:21 <SridarK_> njohnston: thx for getting the agenda set 04:01:37 <njohnston> I just want to note that we are now 1 week from N-1. Tempus fugit! 04:02:09 <njohnston> This means that we are 1/3 done with the Newton cycle. We should think about our velocity to make sure we are on track. 04:02:31 <SridarK_> +1 04:02:40 <njohnston> which leads me to... 04:02:44 <yushiro> Hi, sorry for late. 04:02:48 <njohnston> #topic Mid-Cycle 04:03:08 <njohnston> In Austin when we met, we had talked about doing a virtual mid-cycle 04:03:22 <njohnston> I am still in favor of that idea, but what does everyone think? 04:03:43 <njohnston> If we decide we can add it to the wiki page https://wiki.openstack.org/wiki/VirtualSprints#Schedule_of_Upcoming_OpenStack_Virtual_Sprints 04:03:51 <njohnston> We should be aware of the timing of the Neutron mid-cycle: https://wiki.openstack.org/wiki/Sprints#Future_sprints_for_Newton 04:04:04 <mfranc213> +1 also can you post the meeting agenda? ;) 04:04:25 <njohnston> https://etherpad.openstack.org/p/fwaas-meeting 04:04:39 <padkrish> +1 04:04:43 <yushiro> +1 04:05:12 <SridarK_> yes i too think a virtual mid-cycle is more favorable with geography of contributors 04:05:20 <njohnston> Does anyone have any thoughts about timing, or is it premature to think about that? 04:05:48 <SridarK_> but perhaps lets first get some traction going - so we can be more productive during the mid-cycle 04:06:18 <SridarK_> i think we have some things to decide before we get to this 04:06:22 <njohnston> ok, so sounds like we still like the virtual idea, but it's too early to get something on the books. 04:06:39 <SridarK_> i am hoping we can get some thing going in the next week 04:07:10 <SridarK_> once we have some skeletal pieces beginning to talk to each other - then we can make some quick progress by blocking some time 04:07:15 <SridarK_> just my thought 04:07:22 <njohnston> +1 04:07:33 <njohnston> #topic L2 and L3 04:08:02 <njohnston> SO we want to integrate with 2 agents, both L2 and L3 04:08:27 <njohnston> Do we want to approach this in parallel, or work on one then the other? 04:08:56 <njohnston> I was having a converation with mfranc213 about this today and I realized we weren't on the same page, so I wanted to get the team's thought. 04:09:14 <SridarK_> i think we should approach them in parallel 04:09:47 <SridarK_> if some folks can get the L2Agent integration started - out of this we can evolve some patterns that can be used in L3 04:10:03 <SridarK_> L3 is a bit simpler w.r.t iptables 04:10:14 <njohnston> L3 may need to be on the back burner for a bit while the L3 agent extension gets wrangled out, and then I agree we can re-use patterns from the L2 implementation. 04:10:26 <njohnston> mfranc213: what do you think? 04:10:44 <SridarK_> Now with the change to get us going, in theory we can work thru the L3Agent to go end to end 04:10:51 <mfranc213> i agree that L2 should, minimally, be started first. 04:10:53 <SridarK_> as we are operational 04:11:02 <mfranc213> i don't believe we have enough people to do these in parallel 04:11:27 <mfranc213> but i like what srikark_ is saying 04:11:36 <mfranc213> which i think is (tell me if i'm wrong): 04:12:11 <mfranc213> start the L2 to get the general architecture understood/in place. then go to the L3 which is simpler to implement. 04:12:30 <SridarK_> mfranc213: yes along those lines 04:12:32 <mfranc213> that may get us with something to present soonest 04:12:35 <mfranc213> perhaps 04:12:39 <SridarK_> mfranc213: yes 04:13:04 <SridarK_> if we have flushed out iptables on L2 then we can continue forth with the L2 implementation 04:13:34 <SridarK_> in terms of actually getting some things comitted we will need a reference backend in place 04:13:40 <mfranc213> njohnston: what do you think? 04:13:57 <SridarK_> which is simpler in L3 04:14:36 <mfranc213> and which has been done, thought in a different way, in v1. right? 04:14:40 <mickeys> The quickest way to get something running is to run with noopfirewall driver (for security groups). In order to run with iptablesfirewall driver (for security groups), the coexistence changes have to be made. 04:14:47 <mfranc213> s/thought/though 04:15:04 <njohnston> I agree with everything which has been said, and I look forward to tearing into the reference backend. I think the risk is in leaving the L3 agent extension to be done by a third party, which surrenders the initiative so to speak. That to me is a long pole that is difficult to control, and so is a risk item. 04:15:10 <SridarK_> mickeys: yes we can do that for sure, but to get changes in - we cannot break SG 04:15:44 <mickeys> agreed 04:15:54 <SridarK_> in essence the crux of the FW agent code should be very similar for L2 & L3 04:15:59 <SridarK_> possibly the same 04:16:19 <SridarK_> how we bolt things in to the L2 & L3 framework could be a bit different 04:16:26 <SridarK_> and some validations etc 04:16:33 <njohnston> +1 04:17:04 <njohnston> OK, I think we talked that one out. 04:17:10 <njohnston> #topic Explicating the dependency chain 04:17:19 <njohnston> It'd be good to know for sure what depends on what so we can prioritize 04:17:25 <SridarK_> but if we can flush out the L2 extension and how we interact with it we can get some things in place for L3 04:17:34 <SridarK_> sorry 04:17:54 <njohnston> This came about when I was trying to test the existing code for the FWaaS DB change and found it depended on one or two other changes 04:18:12 <njohnston> I made a stab at a graphical representation, please check it for accuracy: https://cdn.pbrd.co/images/1aBZwDKm.png 04:18:35 <SridarK_> njohnston: on the DB piece, we should have a dependency on the v2 extensions 04:18:50 <SridarK_> and this is mostly okay - i have tested that 04:19:03 <njohnston> Yes, that was what I discovered :-) 04:19:14 <SridarK_> there are probab some more few bits that need filling in 04:19:27 <njohnston> and I think the DB piece needs to be in place before versioned objects can really be gated on 04:19:27 <SridarK_> shwetaap: i think u have started looking into this ? 04:19:54 <SridarK_> njohnston: i have some basic stuff on rules added to the db patch 04:20:23 <SridarK_> but we will need at least a skeletal piece of code on the Firewall group 04:20:45 <SridarK_> before we can hit the versioned object - agent interaction if i am not mistaken 04:21:33 <njohnston> which change is the firewall group? 04:21:46 <SridarK_> if we can start getting these piece integrated that will could be our first steps 04:22:01 <SridarK_> the db changes to support firewall group 04:22:19 <njohnston> ah, I see 04:23:22 <njohnston> The good news is that Armando's fix merged last week, so the gate should be working fine now. Yay! 04:23:31 <SridarK_> yes it is 04:23:36 <shwetaap> SridarK_: sorry, yea I have taken a look at the extension patch, but I havent made any changes to it yet. 04:23:39 <SridarK_> we have tempest passing too 04:23:43 <yushiro> :) 04:23:54 <SridarK_> shwetaap: ok no worries 04:24:13 <SridarK_> so we are pretty much operational 04:24:53 <njohnston> #topic L3 Agent Extension 04:25:14 <njohnston> The spec is still waiting for comments: https://review.openstack.org/#/c/315745/ 04:25:37 <SridarK_> njohnston: yes i am looking at it 04:25:40 <njohnston> If folks could take a look and give feedback, or +1 if it looks good to you. 04:25:51 <yushiro> njohnston, Sure. 04:25:54 <njohnston> Thanks SridarK_! 04:26:00 <njohnston> Thanks yushiro! 04:26:28 <njohnston> #topic Observer Hierarchy 04:26:58 <njohnston> mfranc213 was wondering about the RPC callbacks/observer hierachy: can the same mechanism, whatever it may end up looking like, be the same for L2 and L3 callbacks/notifications? 04:27:05 <SridarK_> I have pinged the submitter and he is retesting the patch 04:27:27 <mfranc213> njohnston: i don't know, unfortunately 04:27:39 <SridarK_> what does it look like for L2 04:27:45 <SridarK_> i suspect it should be similar 04:27:55 <mfranc213> miguel may be able to speak to this. 04:27:59 <SridarK_> we are essentially looking for changes in port state 04:28:13 <SridarK_> or router state in L3 04:29:05 <mfranc213> but my belief is that these would be structurally the same if not simply one thing. ("these" = the two RPC callback implementations, for L2 or L3) 04:29:17 <mfranc213> again, i think miguel can shed light on this 04:29:20 <SridarK_> for L3 extensions - this piece is already present as the Observer Hierarchy 04:29:36 <mfranc213> yes 04:29:49 <SridarK_> there are some router events that one can register callbacks to get notifications 04:30:07 <mfranc213> sorry, change would for could ^^ 04:30:29 <SridarK_> i suspect for L2 we can register for port events ? 04:30:49 <njohnston> Yes, I believe that is correct, looking at how QoS does it: https://github.com/openstack/neutron/blob/master/neutron/services/qos/notification_drivers/manager.py 04:31:43 <yushiro> mfranc213, SridarK_ regarding L2, I think it is very similar architecture QoS too. 04:31:54 <SridarK_> yushiro: ok 04:31:57 <njohnston> actually that is the manager, here is where it registers for notifications: https://github.com/openstack/neutron/blob/master/neutron/services/qos/notification_drivers/message_queue.py 04:32:02 <yushiro> However, we have to define new agent_driver, right? 04:32:05 <padkrish> SridarK_# Isn't that what German's patch does? https://review.openstack.org/#/c/268316/2/neutron_fwaas/services/firewall/agents/v2/l2_agent_extension/fwaas_extension.py? 04:32:47 <SridarK_> padkrish: yes i think German starting pulling things together - but i think it is still WIP 04:33:24 <padkrish> Basically get port notifications from L2 agent extensions and FW resource notifications similar to observer hierarchy 04:33:31 <padkrish> SridarK_#Yes agreed 04:33:50 <yushiro> padkrish, correct. 04:34:52 <mfranc213> on the L2 level, is it just notifications of port updates that is needed by the agent? 04:35:23 <SridarK_> i would think so 04:35:26 <mfranc213> please fix the grammar of that question as you read it :) 04:35:38 <SridarK_> mfranc213: :-) 04:35:44 <yushiro> mfranc213, yes. I think so too. 04:36:20 <mfranc213> i recall something about namespace information needed by the agent. maybe i imagined that? 04:36:35 <SridarK_> mfranc213: that is for L3 04:36:40 <mfranc213> thank you 04:36:45 <SridarK_> ok i think we need to sort out some of these interactions for the agents 04:37:03 <njohnston> yes 04:37:13 <SridarK_> yushiro: , padkrish: are u guys looking into this ? 04:37:48 <yushiro> SridarK_, currently, we're looking into QoS implementation for L2. 04:37:48 <SridarK_> njohnston: , mfranc213: i think both of u have domain expertise here 04:38:03 <SridarK_> yushiro: ok 04:38:05 <yushiro> padkrish, SridarK_, And, I'll try to update xgerman's patch(https://review.openstack.org/#/c/268316/ 04:38:14 <padkrish> SridarK_# Yes.. thanks to mfranc213, njohnston for the QoS pointers 04:38:24 <njohnston> Happy to help, anytime :-) 04:38:52 <SridarK_> padkrish: yushiro: other things u guys would like discuss on this topic ? 04:39:19 <SridarK_> mfranc213: njohnston: thx for all the pointers 04:39:36 <padkrish> if i understand right, the versioned objects in the patch https://review.openstack.org/#/c/268316/2/neutron_fwaas/objects/ports.py is where more work is needed 04:39:52 <SridarK_> padkrish: ok 04:40:18 <yushiro> SridarK_, currently OK. 04:40:20 <padkrish> this is where i think, German was referring to following QoS patch more closely 04:40:31 <SridarK_> yes agreed 04:40:35 <xgerman> Yep 04:40:50 <padkrish> xgerman# there you are :) 04:41:11 <SridarK_> now to make progress on the L3 Agent framework, we should look for defining a workflow that is quite similar 04:41:19 <xgerman> Yeah, I heard my name :-) 04:41:24 <SridarK_> :-) 04:41:28 <padkrish> :) 04:41:28 <njohnston> :-) 04:41:37 <mfranc213> :) 04:41:43 <yushiro> smile! 04:41:52 <mfranc213> i love this meeting 04:41:53 <SarathMekala> just to be in loop :) 04:42:09 <njohnston> I think the last major thing I have been tracking is 04:42:16 <SridarK_> hang on 04:42:31 * njohnston hangs 04:42:36 <SridarK_> So we can try to get some comments on to njohnston's spec 04:42:59 <SridarK_> i would like to see if we can flush out a basic L3 workflow along the lines of L2 04:43:37 <SridarK_> i think having a similar model greatly increases how quickly we can get support on the L3 framework 04:43:41 <xgerman> Yeah, the more we can share the better 04:43:54 <mfranc213> +1 04:44:43 <SridarK_> and if we have a model in place, given that we have a working L3 model - we can refactor the code (to commonize with L2) and fit the final L3 model 04:44:54 <SridarK_> at least in a ideal world this might work 04:45:33 <SridarK_> ok i am done on this topic 04:45:48 <njohnston> #topic Neutron iptables changes 04:46:20 <mickeys> I still need to file the bugs and start on the code for security groups coexistence 04:46:34 <njohnston> mickeys: Is there anything we can do to facilitate? 04:46:41 <mfranc213> mickeys: would you be able to email the group sample sample iptables doc that show before (with SG but not FW entries) and after (with both SG and FW entries 04:47:06 <mickeys> Yes I can email the sample. Actually I should just put that in the bug? 04:47:16 <mfranc213> yes, perfect. 04:47:23 <SridarK_> +1 04:47:25 <xgerman> +1 04:47:42 <mfranc213> and this would show the wrapped and unwrapped stuff 04:47:46 <mickeys> Yes 04:47:51 <mfranc213> nice 04:48:44 <mickeys> chandanc: Any chance you can take on the conntrack coexistence issue? 04:49:06 <chandanc> Sure will take a look 04:49:11 <mickeys> I can file the bug 04:49:54 <SridarK_> chandanc: SarathMekala: Did u guys also have any other questions ? 04:50:16 <chandanc> not at this time 04:50:33 <SarathMekala> I was going through Mickeys patch.... and felt if it would be helpful if there is a spec for reference 04:51:14 <SarathMekala> any pointers in this regards? 04:51:47 <mickeys> I don't have anything written up. The main starting point is to understand the security groups iptables firewall driver. 04:51:58 <mickeys> We could have a call? 04:52:12 <SarathMekala> Yeah that would be helpful 04:52:55 <njohnston> Well, we have seven minutes left, so let's open the floor 04:53:06 <njohnston> #topic Open Discussion 04:53:28 <mfranc213> by the way, one thing i just realized (maybe i'm the last to realize): to add myself as a reviewer too all relevant fwaas-related patches in order to get notifications 04:54:22 <njohnston> I try and add folks when I see them missing, but I don't know everyone's launchpad ID. In particular padkrish and shwetaap I had a hard time finding you to add as a reviewer for a change. 04:54:49 <mfranc213> also, nate's dependency chart and some things that i will finish when i get cycles should go on our wiki. sorry for keep mentioning the wiki. 04:55:14 <SridarK_> mfranc213: yes pls let me know what u would like to add 04:55:21 <SridarK_> we can sync offline 04:55:30 <xgerman> Wiki is good. But we should also start a doc directory in tree 04:55:40 <SridarK_> i think there are issues with access so i can proxy 04:55:48 <SridarK_> xgerman: +1 04:55:51 <njohnston> I like a doc directory in tree 04:55:58 <mfranc213> xgerman +1 04:56:01 <padkrish> #njohnston# I will add myself as reviewer and will mail my launchpad ID 04:56:05 <mfranc213> +3 really 04:56:10 <njohnston> Thanks padkrish! 04:56:15 <njohnston> So, is this meeting time still working for everyone? 04:56:49 <mfranc213> not me, really :( i'm sorry. but i will keep doing it. 04:57:11 <yushiro> Hi, I'm summarizing FWaaSv2 L2 part at etherpad in order to share our(my) progress. I'll send link ASAP. 04:57:32 <mfranc213> for me, anyway: maybe ask this same question, about meeting time, next week? 04:57:32 <SridarK_> yushiro: ok sounds good thx 04:57:43 <SridarK_> :-) 04:57:48 <njohnston> mfranc213: sure thing 04:57:56 <njohnston> yushiro: Thanks, I look forward to reading it 04:58:29 <SridarK_> njohnston: mfranc213: will sync offline to see how we can get some basic integration with plugin going 04:58:37 <yushiro> xgerman, hi. I'd like to ask you some question about your patch. 04:58:40 <SridarK_> i would like for us to start churning the patchsets 04:58:51 <njohnston> +100 to churn 04:58:57 <xgerman> yushiro: sure 04:59:07 <SridarK_> also folks can u pls pull a devstack env - albeit v1 04:59:10 <yushiro> How about discussing #openstack-fwaas 04:59:11 <yushiro> ? 04:59:15 <SridarK_> then u can start playing with things 04:59:18 <xgerman> Sure 04:59:24 <yushiro> padkrish, How about you ? 04:59:27 <SridarK_> 1 min 04:59:28 <padkrish> sure yushiro 05:00:00 <yushiro> xgerman, padkrish Thank you. Let's move #openstack-fwaas after 1 minute. 05:00:05 <njohnston> all right, I have to call time 05:00:07 <xgerman> K 05:00:08 <yushiro> Oh, it's now :) 05:00:08 <njohnston> #endmeeting