#openstack-meeting-3 log

04:00:04 <njohnston> #startmeeting fwaas
04:00:05 <openstack> Meeting started Wed Jun 15 04:00:04 2016 UTC and is due to finish in 60 minutes.  The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot.
04:00:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
04:00:08 <openstack> The meeting name has been set to 'fwaas'
04:00:21 <njohnston> Hello all!
04:00:31 <yushiro> hello :)
04:00:37 <njohnston> #chair SridarK xgerman
04:00:38 <openstack> Current chairs: SridarK njohnston xgerman
04:00:48 <xgerman> o/
04:00:59 <SridarK> Hi All
04:01:15 <SridarK> shall we get started
04:01:24 <njohnston> Indeed!
04:01:32 <chandanc> Hello all
04:01:38 <SridarK> padkrish is out on PTO so most likely will not join
04:02:05 <yushiro> SridarK, OK. Thanks you.
04:02:25 <SridarK> #topic FWaaS v2
04:02:51 <SridarK> njohnston: thanks for the db patch - i am working thru the integration
04:03:06 <njohnston> Excellent, I am glad we are starting to see some real velocity here
04:03:12 <SridarK> as expected - i am going thru some initial teething issues
04:03:16 <SridarK> nothing major
04:03:50 <SridarK> i am creating the new tables manually - i hope by end of day tomorrow -  i will atleast have gotten rid of some of the tracebacks
04:04:29 <SridarK> so will continue with that
04:04:35 <njohnston> excellent
04:05:06 <SridarK> yushiro: on the agent front - how are things
04:05:18 <SridarK> things u would like to discuss
04:05:51 <yushiro> SridarK, last week, we discussed with paddu and decided some A.I.
04:06:20 <yushiro> SridarK, My A.I is asking ajo and Ihar about adding L2 extension patch into neutron.
04:06:43 <SridarK> yushiro: ok
04:06:56 <yushiro> SridarK, But I'm sorry. I couldn't reach out ajo/Ihar last week. (No timing on IRC..)
04:07:14 <SridarK> yushiro: ok no worries - perhaps this week u can close on that
04:07:34 <njohnston> yushiro: Let me know if there is anything I/we can do to help
04:07:49 <yushiro> SridarK, Thanks. I'll send e-mail them again and try to reach out on IRC.
04:08:02 <SridarK> yushiro: ok perfect
04:08:11 <yushiro> njohnston, Yes.  I'll do that.  Thanks for your help :)
04:09:44 <SridarK> Moving to the driver, I dont see mickeys online. chandanc: SarathMekala: things u would like to bring up or discuss ?
04:10:14 <chandanc> I have had a look at the conntrack side
04:10:19 <SridarK> i know u were in discussion with mickeys on getting a bug opened to clean things up on neutron amongst other things
04:11:07 <chandanc> Ya, i cond not proceed beyond the initial discussion about conntrack
04:11:26 <SridarK> i think mickeys is getting busy with some other things - but he mentioned that he is available for any discussions
04:11:50 <SarathMekala> I had a closure on the discussion with Mickey.. will send across an etherpad on it
04:12:07 <chandanc> ok will ping him and start proceeding on the driver patch
04:12:27 <SridarK> chandanc: SarathMekala: ok great. yes pls feel free to reach him via email or IRC
04:12:50 <SarathMekala> srue
04:12:56 <njohnston> SarathMekala and chandanc: Did either of you get an idea about the neutron change to relocate the ACCEPT?
04:12:56 <chandanc> Did you guys had a look at the singleton patch ? do you have any feedback ?
04:13:24 <SridarK> chandanc: can u pls point to the patch
04:13:27 <njohnston> chandanc: I did not, apologies.  Can you send the URL?
04:13:39 <chandanc> No i have not looked at the exact iptables rules, i can give an update this week though
04:13:49 <njohnston> chandanc: Thanks!
04:13:49 <chandanc> sure
04:14:16 <chandanc> #link http://paste.openstack.org/show/510538/
04:14:49 <njohnston> #action multiple folks to review http://paste.openstack.org/show/510538/
04:14:57 * njohnston notes shwetaap pushed a new patchset for the rest API change, and it has a lot more in the way of tests: https://review.openstack.org/#/c/264489/
04:15:28 <SridarK> ok sounds good
04:15:36 <SridarK> chandanc: any thing else to discuss ?
04:15:54 <chandanc> nothing more for now
04:16:01 <shwetaap> thanks njohnston, yea i just pushed it out. I may have a few more tests to add. Will add to the patch
04:16:07 <SridarK> ok
04:16:19 <xgerman> nice
04:16:19 <SridarK> shwetaap: circling back - thx for the update
04:16:53 <SridarK> shwetaap: i have started with the original patch for my integration - i will update
04:17:14 <shwetaap> SridarK: sounds good.
04:17:50 <SridarK> xgerman: njohnston: other things to cover on v2 ?
04:18:01 <xgerman> no I think w are good
04:18:09 <njohnston> I have my v2 work on hold while I work on the l3 agent extension
04:18:27 <SridarK> njohnston: yes understood - u have given me enough to go on
04:18:51 <SridarK> njohnston: i will let u know if i hit issues
04:19:01 <njohnston> SridarK: Sounds like a good plan
04:19:27 <SridarK> #topic L3Agent extension
04:19:33 <SridarK> njohnston: pls go ahead
04:19:38 <njohnston> First implementation patch for the l3 agent extension is up: https://review.openstack.org/329701 "Move agent extension mechanism out of L2 agent"
04:19:55 <njohnston> I figure that si the first bit, then I will proceed with the more intrusive agent changes.
04:20:14 <njohnston> Note that patch is super-WIP, I haven't really attended to the breakage in the tests yet - that is tomorrow
04:20:17 <SridarK> njohnston: great - i took a quick look at this - i think getting out of L2 was a good first step
04:21:03 <SridarK> njohnston: so the extensions manager bit can be pretty much commonized without any issues ?
04:21:04 <njohnston> As far as the server side, the notification driver, it's a little stickier extricating out the l2 agent specific code form the general notification logic, and I have a question out to ajo, since he wrote that code
04:21:33 <njohnston> SridarK: I believe that part is highly generic, so yes, I am optimistic it can be generalized with very few issues
04:21:51 <SridarK> njohnston: ok that would be nice
04:21:53 <njohnston> that is the lowest of the low hanging fruit in this endeavor
04:21:58 <SridarK> :-)
04:23:12 <njohnston> So that divides the work into more achieveable sections
04:23:26 <njohnston> and I will proceed delivering them seriatim
04:23:36 <SridarK> Sounds good
04:24:01 <njohnston> That is it for me
04:24:06 <SridarK> i am quite familiar with the FWaaS L3 Agent pieces - so i can definitely help bolt that in
04:24:14 <njohnston> excellent
04:24:38 <SridarK> njohnston: nice work on the spec - i think most issues are covered
04:24:47 <njohnston> what rpc messages does l3 fwaas need to be sensitive to?
04:24:55 <SridarK> once Ihar acks ur last rev - we shd be good
04:25:15 <SridarK> njohnston: these would be for the FWaaS resources
04:25:25 <SridarK> when we create a Firewall Group
04:25:38 <SridarK> or if we update a rule or a policy in a Firewall Group
04:26:03 <SridarK> IIRC, we use one topic to push these from the plugin to the agent
04:26:21 <njohnston> yes, but it would also need to be sensitive to, say, a port delete, so it would clean up any rules specific to that port's firewalling, yes?
04:26:23 <SridarK> and we had a reverse for things the agent reported back to the plugin (like if something failed)
04:26:46 <SridarK> njohnston: yes exactly as we introduce the port attribute
04:27:16 <SridarK> njohnston: previously we had an update out if the router that the FW was installed on changes
04:28:03 <njohnston> could you send me a ppinter to where that logic is when you get a chance?
04:28:19 <SridarK> njohnston: although will need to look at parallels with the L2 case where u had mentioned that we shared the rpc
04:28:20 <njohnston> (doesnt need to be right now)
04:28:25 <SridarK> njohnston: surely
04:28:29 <njohnston> thanks!
04:29:22 <SridarK> njohnston: essentially all the CRUD methods will trigger a push to the agent (if there is a Firewall Group)
04:29:31 <njohnston> ok
04:29:37 * xgerman finished another call and can now pay full attention
04:29:53 <xgerman> SridarK +1
04:30:14 <SridarK> xgerman: totally understand
04:30:33 <xgerman> and then the agent will figure out if the change affects the ports it manages and ask for the info — or in v 0.5 always asks for the info
04:30:52 <njohnston> ok
04:31:16 <SridarK> xgerman: +1 - i need to go thru that logic a bit more for the new implementation model
04:31:25 <SridarK> njohnston: other things u would like to discuss here
04:31:47 <njohnston> not in the l3 topic, no
04:32:04 <SridarK> #topic Devstack plugin for FWaaS
04:32:16 <SridarK> #link https://review.openstack.org/214350
04:32:54 <SridarK> njohnston: thx for confirming - clearly i dont see the db migration script running thru
04:32:54 <njohnston> It sounds to me like migrations are only getting partially executed
04:33:03 <SridarK> yes
04:33:29 <SridarK> the router association table is not getting created, so when we do a firewall-create - we fail with the table being absent
04:33:47 <chandanc> question: do you guys not see the association table created ?
04:33:47 <njohnston> I need to bone up a bit on how migrations get executed I guess, since I can't make heads or tails of this issue yet
04:33:59 <SridarK> chandanc: i did not see it
04:34:19 <chandanc> oh, i just re stacked, and was able to create a router
04:34:36 <SridarK> and i asked njohnston: to confirm - just to be sure that i did not get something messed up on my setup
04:34:48 <SridarK> chandanc: ok i have a router too
04:34:58 <SridarK> chandanc: but are u able to create a firewall ?
04:35:06 <SridarK> i can create rules and policies
04:35:21 <chandanc> yes
04:35:29 <xgerman> know they changed migrations around a bit
04:35:34 <SridarK> chandanc: ok so i may have a red herring ?
04:35:38 <xgerman> but forgot the deails
04:35:47 <chandanc> ok , will recheck and let you know by mail
04:35:56 <SridarK> xgerman: yes that is correct
04:35:59 <njohnston> chandanc: Did you try with the devstack plugin patch?
04:36:10 <chandanc> ya i did
04:36:33 <njohnston> ok, I will restack tomorrow with a freshly created VM and see what happens
04:36:50 <chandanc> please go on, will let you know once my stack is redone
04:36:52 <SridarK> chandanc: u are using enable_service fwaas ?
04:37:05 <chandanc> yes, will also share my local.conf
04:37:07 <njohnston> #action njohnston to restack with a fresh VM and see if migrations happened
04:37:14 <njohnston> chandanc: +1 thanks!
04:37:19 <SridarK> chandanc: ok great
04:37:20 <xgerman> we should put a sample local.conf in our project
04:37:28 <SridarK> lets carry on the conversation in email
04:37:45 <SridarK> xgerman: +1 lets do that right after this patch merges
04:37:51 <xgerman> we can also use our shiny new channel
04:37:56 <xgerman> ;-)
04:37:59 <SridarK> :-)
04:38:06 <chandanc> xgerman: i think we can update the README in the devstack plugin
04:38:16 <xgerman> thar, too
04:38:28 <SridarK> actually the README does have this
04:38:54 <SarathMekala> yes
04:39:02 <chandanc> ok, sorry for the confusion
04:39:02 <SridarK> chandanc: ok thx - we can sync over email
04:39:03 <njohnston> devstack readme in the patch: https://review.openstack.org/#/c/214350/18/devstack/README.rst
04:39:03 <SarathMekala> was about to mention that
04:39:03 <xgerman> well, I know we added a sample local.conf in LBaaSand that helped a lot… some project even have vagrant files...
04:39:46 <SridarK> #action SridarK to clean up some of the setup documentation
04:39:51 <xgerman> sample local.conf is far more tune-key ;-)
04:39:54 <xgerman> turn-key
04:41:11 <SridarK> ok i think we have beaten this to death :-)
04:41:28 <SridarK> hopefully by tomorrow we can all be on the same page
04:42:07 <njohnston> +1
04:42:15 <chandanc> +1
04:42:32 <SridarK> #topic Open Discussion
04:43:36 <njohnston> The bot should be on #openstack-fwaas probably tomorrow, thanks to infra liason intervention by dougwig.  Thanks dougwig!
04:43:48 <SridarK> njohnston: thanks for initiating this
04:44:02 <xgerman> +1
04:44:05 <njohnston> It seemed like the logical next step
04:44:45 <chandanc> question: had a quick look at the l3 patch, do you think the agent_extension interface will change to support l3 extensions or we are going to handle updates at the port level ?
04:45:59 <SridarK> chandanc: we will have to handle the L3 port thru the L3 agent ext i/f
04:47:10 <chandanc> SridarK: i mean the methods of the agent_extension.py #link https://review.openstack.org/#/c/329701/1/neutron/agent/agent_extension.py
04:47:14 <njohnston> chandanc: The l3 agent extensions manager will load the fwaas extension, and the fwaas extension will register for port updates directly
04:48:10 <njohnston> The updates don't need to pass through the extension manager on the agent side.
04:48:16 <njohnston> rpc updates
04:48:20 <chandanc> ok, so the l3 extension will be called for each port created ?
04:48:35 <chandanc> or only the l3 ports ?
04:49:04 <SridarK> There will port updates and then FW resource updates binding to a specific port
04:49:36 <SridarK> chandanc: we will need to do this if there is a FW bound to that port
04:49:48 <xgerman> we will have calls through the L3 extension and then our CRUD calls -port, FW Rule, etc.
04:50:49 <xgerman> so practically the L3 extension will be called for each port created on the router and each L2 port relevant to us
04:50:54 <chandanc> ok suer, will go through the patch and come back
04:51:52 <SridarK> other things any one would like to bring up ?
04:52:01 <njohnston> chandanc: And understand that https://review.openstack.org/#/c/329701 is still super WIP - it's hours old, and I am working out the kinks. :-)
04:52:04 <yushiro> njohnston, If your patch will be merged, I don't need to register some resources on L2 side?
04:53:22 <njohnston> yushiro: This shouldn't change anything for the L2 side, since the L2 agent will still need to implement rules on VM ports.
04:53:53 <xgerman> +1
04:54:02 <yushiro> njohnston, Ah, I see. I understand your patch effects only L3 side. Thanks.
04:54:19 <xgerman> we hope to share some code between L2 and L3 eventually
04:54:39 <njohnston> It seems unnatural for this part of the code not to be shared.
04:55:21 <SridarK> njohnston: i think we can commonize some of the FW - port binding stuff on the agent
04:55:44 <njohnston> SridarK: +1
04:55:50 <SridarK> njohnston: once we have some things working
04:56:34 <njohnston> indeed
04:56:57 <SridarK> ok if nothing else - we can close out
04:57:36 <yushiro> Thank you all!
04:57:48 <njohnston> thanks!
04:57:55 <SridarK> ok thanks all and we can exchg emails as needed
04:57:57 <xgerman> Thanks a lot! I will hammer out some reviews :-)
04:57:59 <chandanc> thanks
04:58:01 * SarathMekala says bye bye o/
04:58:06 <xgerman> o/
04:58:07 <njohnston> #endmeeting