04:00:23 <njohnston> #startmeeting fwaas
04:00:24 <openstack> Meeting started Wed Jun  8 04:00:23 2016 UTC and is due to finish in 60 minutes.  The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot.
04:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
04:00:27 <openstack> The meeting name has been set to 'fwaas'
04:00:32 <njohnston> #chair SridarK_ xgerman
04:00:33 <openstack> Current chairs: SridarK_ njohnston xgerman
04:00:43 <njohnston> Hi everybody!
04:00:45 <chandanc> Hello All
04:00:55 <SarathMekala> Hi
04:00:55 <SridarK_> Hi All
04:01:03 <padkrish> hello all
04:01:15 <yushiro> padkrish, Hi
04:01:20 <shwetaap> Hi
04:01:50 <SridarK_> overall i think this week we have started things moving in the right directions with multiple discussions
04:02:21 <hoangcx> hi
04:02:30 <njohnston> Agreed, which is timely given that N-1 was cut
04:02:54 <njohnston> So let
04:02:55 <SridarK_> yes we hope the next few weeks will be very productive
04:03:03 <SridarK_> #topic FWaaS V2
04:03:16 <SridarK_> lets start things off with v2
04:03:47 <njohnston> I've been banging on the DB patch a bit
04:03:56 <njohnston> I hope to really focus on that tomorrow
04:04:01 <SridarK_> njohnston: , padkrish: mfranc213 &  i kickstarted some discussions on the db - plugin interactions
04:04:05 <SridarK_> njohnston: great thx
04:04:23 <padkrish> SridarK: great
04:04:28 <yushiro> great
04:04:28 <SridarK_> to ur question - we can live without alembic migrations for now
04:04:47 <SridarK_> bit of a pain - but we can create the needed tables manually on a devstack deployment
04:05:13 <njohnston> indeed, I think that is viable for now
04:05:16 <SridarK_> njohnston: so great - i think we can do a bit of integration by end of week
04:05:25 <SridarK_> across ext - db - plugin
04:05:55 <njohnston> I will try to have something posted tomorrow that works and has some basic unit tests
04:06:09 <SridarK_> i have started digging into the plugin pieces on the versioned objects - based on pointers from njohnston: & mfranc213:
04:06:10 <SridarK_> thx
04:06:24 <SridarK_> njohnston: cool
04:06:59 <SridarK_> padkrish:, yushiro: how are things on the agent side of things
04:07:23 <padkrish> yushiro has a patch posted
04:07:24 <SridarK_> yushiro: apologies - we had to do a quick discussion which was a very inconvenient time for u
04:07:41 <SridarK_> yushiro: yes started looking
04:07:56 <padkrish> that's a great start, imo... still some interactions with driver and plugin is pending work
04:08:04 <yushiro> SridarK_, OK. It's nothing.
04:08:05 <padkrish> plus some unit test code
04:08:17 <SridarK_> padkrish: agreed
04:08:23 <yushiro> SridarK_, padkrish And some comments are given from Ihar and Miguel angel Ajo.
04:08:59 <SridarK_> yushiro: yes and thx to njohnston: to get some discussions with the qos folks
04:09:06 <padkrish> yushiro: Yes, i have given 2-3 comments...nothing new, we already discussed those..
04:09:24 * njohnston is happy to facilitate
04:09:34 <yushiro> padkrish, oh, really? After finished meeting, let's share some information :)
04:09:45 <yushiro> SridarK_, yeah.
04:09:55 <padkrish> yushiro: sure :)
04:10:37 <njohnston> So quick question - at the summit, we mentioned that the Neutron change to relocate the ipchains 'ACCEPT' needed to be put in sooner rather than later because of the lengthy Neutron review process.  Is there an ETA for this?
04:11:09 <SridarK_> njohnston: yes good point - we should get this moving
04:11:26 <njohnston> If I have the wrong impression, please correct me. :-)
04:11:48 <SridarK_> looks like mickeys is not on today - i chatted with him briefly earlier - he said he got sucked into some high priority stuff
04:11:57 <xgerman> O/
04:12:15 <SridarK_> chandanc: Sarath - can u pls ping mickeys
04:12:18 <SridarK_> so u can help out
04:12:21 <chandanc> Sure will do
04:12:25 <SarathMekala> sure
04:12:34 <SridarK_> he said he is more than happy to provide all the information
04:12:45 <chandanc> I have started looking at the iptables driver and was about to ping mickey anyways
04:12:50 <SridarK_> just that he is spinning on some critical stuff
04:12:58 <SridarK_> chandanc: ok great
04:13:25 <SridarK_> chandanc: SarathMekala: pls do let me know if u want me to facilitate anything in this regard
04:13:46 <chandanc> sure will ping you
04:14:05 <shwetaap> For the V2 patch, I have reused many of the tests from the existing test_firewall.py to create a test_firewall_v2.py. But I am seeing failures while running the tests. I think I need a patch in neutron to  register FIREWALL_V2 as an extension as well, is that right?
04:14:11 <SarathMekala> I have a few questions regarding V2 implementation.. I will send across a mail after this meeting
04:14:19 <SridarK_> shwetaap: ok great - was abt to get to u
04:14:31 <SridarK_> SarathMekala: surely
04:15:00 <SridarK_> shwetaap: this could be a path issue
04:15:11 <SridarK_> on where extensions are defined
04:15:16 <SridarK_> it should pick it up
04:15:35 <SridarK_> now on UT u may need to do some funky stuff with the ext manager
04:15:37 <shwetaap> oh .. so I dont need to register Firewall_v2 in neutron
04:16:04 <SridarK_> shwetaap: once the ext is defined - it should pick it up and become part of what neutron supports
04:16:21 <SridarK_> shwetaap: i can sync with u more if u need help
04:16:45 <shwetaap> SridarK_: yea ok we can do that. Thanks
04:16:55 <SridarK_> shwetaap: i have done a basic test earlier - but i think there could be some minor gotchas that can mess things up
04:17:11 <SridarK_> shwetaap: ok cool thx
04:17:29 <SridarK_> other things on v2 we want to discuss ?
04:18:13 <SridarK_> ok lets move on
04:18:17 <SridarK_> #topic L3 Agent Extension
04:18:35 <njohnston> mfranc213 and I have been working on the spec
04:18:36 <njohnston> #link https://review.openstack.org/#/c/315745/
04:18:37 <SridarK_> njohnston: thx and floor is all yours
04:18:48 <njohnston> please take a look
04:18:54 <xgerman> +1 think we are close
04:19:04 <njohnston> in particular the section on how the l2 agent extension works may be of interest
04:19:09 <SridarK_> +1 agreed - i think that is coming together nicely
04:19:23 <njohnston> https://review.openstack.org/#/c/315745/11/specs/newton/l3-agent-extension.rst@59
04:19:54 <njohnston> so I think we just need review momentum
04:19:59 <SridarK_> njohnston: +1
04:20:12 <SridarK_> i have to review the last edits
04:20:20 <SridarK_> will do that tomorrow
04:20:21 <yushiro> njohnston, Yes. ur spec is very clear.  I'll review it again.
04:20:35 <njohnston> SridarK_ yushiro: many thanks
04:20:49 <SridarK_> Folks Thu morn pacific is the L3 team mtg
04:21:14 <SridarK_> so some review feedback will help njohnston: & mfranc213: to have this in good shape before that
04:21:28 <SridarK_> this can help us get more eyes from the L3 team
04:21:31 <SridarK_> thx
04:21:32 <njohnston> And then once fwaas v2 db is more secure I will start to look at an implementation for this, which will be some heavy lifting so the earlier we get started the better
04:21:53 <xgerman> Yep
04:21:54 <SridarK_> njohnston: yes agreed
04:22:09 <njohnston> that is all I have on that
04:22:21 <SridarK_> njohnston: if i can do some quick refactor on the plugin - i can help u as well
04:22:31 <njohnston> SridarK_: That would be very welcome
04:23:23 <SridarK_> so as i understand, we will continue work on the L3 agent pieces and switch over to the new L3 Agent model when it is avail
04:23:54 <SridarK_> and hopefully we can commonize the plugin i/f pieces of the agent across L2 and L3
04:24:09 <njohnston> Yes, that is my understanding as well.  As long as the fundamentals are sound, we should be able to tie in to the extension mechanism easily - especially so since we're the ones defining the extension mechanism.
04:24:25 <SridarK_> njohnston: that is my thinking and hope as well
04:24:40 <njohnston> There are pitfalls making the interface common across L2 and L3, but we can burn those bridges whenw e get tot hem
04:24:49 <njohnston> when we get to them
04:24:50 <SridarK_> njohnston: +1
04:25:20 <xgerman> +1
04:25:43 <SridarK_> ok lets move on
04:26:17 <SridarK_> #topic tempest jobs
04:26:32 <SridarK_> njohnston: thx for capturing this
04:26:40 <njohnston> yes, it seems that fwaas stuff broke the neutron-api gate jobs
04:26:44 <njohnston> but it wasn't our fault
04:27:02 <njohnston> the decoupling of l3 from fwaas seemed to have some issues, is my take on things
04:27:12 <njohnston> #link https://review.openstack.org/321146
04:27:21 <njohnston> #link https://review.openstack.org/214358
04:27:41 <xgerman> Didn't armax fix that once?
04:27:45 <njohnston> change https://review.openstack.org/325940 was abandoned in favor of
04:27:56 <njohnston> #link https://review.openstack.org/#/c/326150/)
04:28:13 <njohnston> the coupling in question was in the devstack-gate code I guess
04:28:54 <SridarK_> the devstack patches have not merged
04:29:27 <njohnston> The key one was the last one I think - https://review.openstack.org/#/c/326150/ - which at least got the fwaas test working again
04:29:42 <SridarK_> i think it was pointed out the need for a dependency so that we have the fwaas plugin in place b4 q-fwaas is pulled out of devstack
04:29:45 <njohnston> there was a use of an internal symbol in one of the fwaas tests that needed to be replaced with a proper method
04:29:56 <SridarK_> njohnston: yes
04:30:19 <njohnston> Apropos to that, I worked on the fwaas devstack plugin today
04:30:21 <njohnston> #link https://review.openstack.org/214350
04:30:47 <xgerman> Yeah. I hope that will come together soon
04:31:08 <njohnston> mestery is seeing a strange error in his testing that I am not seeing; I encourage people to spin up devstacks and try it themselves.  mestery posted the line he uses in his local.conf so that should help
04:31:22 <SridarK_> njohnston: i am pulling this too
04:31:35 <njohnston> reviews and comments are encouraged
04:31:37 <SridarK_> i waited as the error was reported on the review
04:31:51 <SridarK_> njohnston: ok if u dont see it - i will restart that
04:32:00 <njohnston> SridarK_: Yes, please.  Thanks!
04:32:52 <SridarK_> in looking at the patch - it did seem that we have the necessary pieces
04:33:25 <SridarK_> njohnston: ok i will replicate this, i have an env ready
04:33:50 <njohnston> Yes, and mestery's error - "cp: cannot stat '/opt/stack/neutron-fwaas/etc/.sample': No such file or directory " - makes it sound as though there is an env variable that should be filled in before the .sample that is null
04:34:34 <SridarK_> njohnston: but u dont encounter this ?
04:35:06 <njohnston> SridarK_: No, I don't - my devstack build completes without issue.
04:35:31 <njohnston> I started to try to exercise the fwaas API to functionally test it but I ran out of time before the meeting
04:35:40 <SridarK_> ok we can sync tomorrow
04:36:16 <SridarK_> anything else folks would like to discuss on anyt other patches
04:36:18 <yushiro> njohnston, If possible, I'll try it and tell you about the result.
04:36:32 <njohnston> yushiro: I am very grateful.
04:36:51 <chandanc> i can try it too :)
04:37:02 <njohnston> chandanc: Thank you very much as well.
04:37:27 * njohnston has nothing else for the agenda
04:37:40 <SridarK_> ok lets get to open discussion
04:37:45 <xgerman> Same here
04:37:50 <SridarK_> #topic Open Discussion
04:38:40 <SridarK_> we can start to think abt the virtual mid cycle next week ?
04:39:00 <njohnston> +1 sounds good
04:39:23 <SridarK_> i know folks may have some summer vacation plans too - so we can try to pin down some dates
04:39:39 <njohnston> I wonder if we can get openstack bot in #openstack-fwaas so we can use that channel for our discussions and have it logged
04:39:52 <SridarK_> njohnston: huge +1
04:40:00 <yushiro> njohnston, +1 good idea.
04:40:40 <xgerman> we would need everybody to log out. Easier to create a new channel
04:40:51 <SridarK_> ok lets dig more on what it takes
04:40:58 <SridarK_> xgerman: ok
04:41:16 <xgerman> That's what we did in LBaaS
04:42:32 <SridarK_> xgerman: thx lets discuss this and see what is the best way fwd - we could have a quick chat tomorrow
04:42:51 * njohnston is interested in chatting about it as well
04:42:56 <xgerman> Sounds good
04:43:03 <SridarK_> njohnston: ok perfect
04:43:32 <SridarK_> did not have anything else major to discuss
04:43:50 <chandanc> SridarK: njohnston: I have a qiestion on the v2 api. As mentioned by xgerman in reply to my mail, sg-groups in neutron can be disabled. Do you guys thing we will have v2 api and sg-group active at the same time or we would want the sg-group disabled
04:44:25 <SridarK_> chandanc: we can disable sg group for testing using the noop Firewall driver (SG)
04:44:27 <xgerman> Both active... But operators can choose
04:44:35 <njohnston> I think that we should strongly recommend that SG be shut down, but it should be operator choice.
04:44:37 <SridarK_> but in terms of merging we cannot rely on that
04:44:54 <xgerman> njohnston: +1
04:44:55 <SridarK_> we should allow for the fact that it can be active
04:44:58 <chandanc> SridarK: ok got it
04:45:15 <xgerman> More importantly we shouldn't break in those configurations
04:45:16 <njohnston> But we can explain that when dealing with two sets of firewall rules the results may be nondeterministic, and thus an operator would be putting the tenant experience at risk
04:45:22 <SridarK_> i agree on the recommendation
04:45:33 <xgerman> +1
04:45:58 <SridarK_> njohnston: the results should be deterministic - as long as we have wired things properly
04:46:25 <chandanc> ok sure
04:46:35 <xgerman> Yep. Contrack, etc need to be made singletons
04:46:44 <SridarK_> this is the tricky thing to make sure we dont break
04:46:46 <xgerman> Mickeys has more insight
04:46:51 <SridarK_> xgerman: +1
04:46:55 <chandanc> ya i am discussing that part with mickey
04:47:12 <SridarK_> chandanc: SarathMekala: good point and yes u can close that with mickeys
04:47:42 <chandanc> I just sent him a mail on this
04:47:50 <SridarK_> ok great
04:47:52 <padkrish> chandanc# if you can jot down some of your understanding on an etherpad, it will be super useful
04:48:08 <chandanc> Will surely do :)
04:48:16 <xgerman> If you send me the link I can comment as well
04:48:17 <padkrish> chandanc: thanks
04:48:42 <chandanc> xgerman: sure
04:49:24 <SridarK_> ok we can get some time back - if nothing else
04:49:34 <njohnston> SridarK_: Will you be on IRC tomorrow?
04:49:40 <SridarK_> njohnston: yes
04:49:49 <SridarK_> if u dont see me just shoot me an email
04:49:52 <njohnston> Excellent, I will ping you anon.
04:50:06 <xgerman> Same here but I have a ton of distraction s
04:50:27 <SridarK_> +1
04:50:57 <SridarK_> ok folks thx for joining and for the discussions.
04:51:15 <xgerman> +1
04:51:20 <njohnston> thanks all!
04:51:24 <yushiro> +1 :-)
04:51:26 <SridarK_> #endmeeting