04:00:02 <njohnston> #startmeeting fwaas 04:00:02 <openstack> Meeting started Wed Jul 20 04:00:02 2016 UTC and is due to finish in 60 minutes. The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot. 04:00:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 04:00:06 <openstack> The meeting name has been set to 'fwaas' 04:00:09 <SridarK> Hi All 04:00:19 <njohnston> Hello everyone, happy ${localtime} to you. 04:00:23 <njohnston> Welcome back SridarK! 04:00:28 <njohnston> #chair SridarK xgerman 04:00:29 <openstack> Current chairs: SridarK njohnston xgerman 04:00:30 <SarathMekala> Hi all 04:00:43 <SridarK> njohnston: can u pls run the mtg - just landed and got back home 04:00:55 <SridarK> njohnston: thx good to be back 04:00:55 <njohnston> SridarK: Absolutely. 04:01:09 <SridarK> njohnston: thx 04:01:29 <njohnston> #topic Announcements 04:01:31 <mickeys> Hi 04:01:49 <njohnston> So N-2 is out, we are now on the road to N-3! 04:02:11 <njohnston> Time to really focus on landing functionality 04:02:27 <SridarK> yes and we have just enough time 04:02:36 <SridarK> njohnston: +1 04:03:20 <njohnston> #topic FWaaS v2 04:03:47 <njohnston> So, let's start with SarathMekala - how has your progress been? 04:04:12 <SarathMekala> I am working on the changes mentioned in the last meeting 04:04:22 <SarathMekala> http://paste.openstack.org/compare/538765/526708/ 04:04:30 <SarathMekala> basic constructs are getting generated 04:04:45 <SarathMekala> need to streamline the flow.. right now its a bit broken 04:05:52 <njohnston> Very interesting. Good stuff. 04:06:20 <njohnston> Anything you need as far as the streamlining/unbreaking the flow? 04:06:26 <SridarK> SarathMekala: would there be an easy way to do some testing with some UT's ? 04:06:27 <njohnston> that the team can assist with> 04:06:28 <njohnston> ? 04:07:15 <SarathMekala> the flow is not proper yet.. 04:07:37 <SridarK> SarathMekala: ok 04:07:45 <SarathMekala> once i fix it .. I will start a discussion on the UT cases 04:08:14 <SridarK> SarathMekala: sounds good - this is an area where we will need some good testing 04:08:24 <njohnston> definitely 04:08:28 <SarathMekala> chandan is on leave last week.. I was also down sick for a few days.. so could not make the progress I desired 04:08:49 <SridarK> hopefully other pieces will start falling in to place so we can do some integration soon too 04:08:54 <njohnston> yep 04:08:59 <SridarK> SarathMekala: understood 04:09:07 <SarathMekala> hoping to make some progress this week 04:09:26 <njohnston> Well, yushiro is out this week due to company functions... 04:09:37 <njohnston> padkrish: Were you able to make any progress this week? 04:09:57 <padkrish> njohnston# yes, i have a patch sent out last week 04:10:02 <padkrish> https://review.openstack.org/#/c/342476/ 04:10:08 <padkrish> ofcourse, it's a WIP 04:10:23 <padkrish> added most of you as reviewers 04:11:15 <padkrish> some stuffs in neutron notification drivers can be generalized.... but that patch may be in the scope of neutron 04:11:23 <njohnston> Yep, I read through it, it's definitely a good start. Do you want to get anything done on it before we start reviewing, or should we start? 04:12:03 <SridarK> padkrish: if we can manage without neutron changes that will be good 04:12:06 <padkrish> feel free to start, if we are ok with the contents of the patch and approach, i can clean it up 04:12:18 <SridarK> we can open a bug and refactor later on - is that possible ? 04:12:28 <padkrish> sridar, sure...we can do that 04:12:40 <padkrish> inspite of that, some resources still need to be defined in neutron 04:13:14 <padkrish> those are the things, i need some suggestions with 04:13:18 <SridarK> padkrish: ok - we can discuss this more 04:13:57 <SridarK> padkrish: maybe we can have a discussion with njohnston: & mfranc213_ 04:14:01 <padkrish> sridarK# i even had a prototype of the neutron patch 04:14:03 <njohnston> padkrish perhaps we can work on this later this week. I would like to help 04:14:34 <padkrish> njohnston, sridarK# sure, let's talk this week 04:14:40 <njohnston> #action padkrish to talk with SridarK njohnston mfranc213_ 04:14:50 <padkrish> sounds good 04:15:04 <njohnston> Any update from shwetaap? 04:15:33 <SridarK> njohnston: looks like she is not on, i will ping her in the morning 04:15:39 <njohnston> OK, sounds good. 04:16:02 <SridarK> and on the db, plugin, will get patch revision out tomorrow 04:16:17 <njohnston> SridarK: Excellent, looking forward to it! 04:16:38 <njohnston> Any other updates for FWaaS v2 stuff? 04:16:41 <SridarK> last week was just too crazy and i could not really get on at all, glad to be back and need to close these out 04:16:47 <njohnston> +1 04:17:03 <SridarK> njohnston: on the CLI we will discuss later in the week ? 04:17:17 <SridarK> atleast we can have a plan before u go on PTO 04:17:20 <njohnston> #topic CLI 04:17:26 <SridarK> ah ok :-) 04:17:30 <njohnston> Thanks for that segue, SridarK :-) 04:17:36 <SridarK> :-) 04:17:59 <njohnston> So in the Neutron team meeting earlier the status of subprojects transitioning to OSC (OpenStackClient) was discussed. 04:18:18 <njohnston> amotoki has a successful template that he used for VPNaaS that he said he would share with us. 04:18:36 <njohnston> So I am hoping we can take that and use it for at least the base plugin integration capability. 04:19:04 <SridarK> njohnston: that is great - hopefully will make life a bit easier 04:19:49 <njohnston> My question is this: from an API perspective, our position is that we are keeping both v1 and v2 alive at the same time. But I don't think we can support such an approach from the CLI perspective. I assume for an OSC integration we would move forward with v2 and disregard v1 CLI. Is that correct from your point of view? 04:20:31 <SridarK> njohnston: i think that sounds reasonable - off the top of my head 04:20:55 <SridarK> njohnston: i think we need not allow v1 & v2 to be operational concurrently 04:21:26 <njohnston> SridarK: Sounds good - and this is not the final word on the subject, should we find we need to revisit it 04:21:41 <SridarK> njohnston: ok we can talk more on this too 04:21:58 <njohnston> #topic L3 Agent Extensions 04:22:25 <njohnston> So the first part of the l3 agent extension work, the extrapolation of the l2 agent extensions out, was merged today 04:22:27 <njohnston> #link https://review.openstack.org/329701 04:22:48 <njohnston> So now the focus comes to the second part, which is the actual introduction of the l3 agent extension and manager 04:22:57 <njohnston> #link https://review.openstack.org/339246/ 04:23:10 <SridarK> njohnston: congrats - i am just catching up - great work 04:23:13 <njohnston> Right now that is looking conceptually all right, but it needs additional tests 04:23:43 <njohnston> I am working on a fullstack test where I set up a dummy l3 extension and register it, and then make sure that when I send router events that the extensions handle methods get called 04:24:04 <njohnston> but that is complex, and will take a bit, so may be split into another change 04:24:34 <SridarK> njohnston: perhaps we could sync offline - so i can get some context quickly after i take a first pass at the changeset 04:24:52 <njohnston> SridarK: Yes, definitely, let's set a time tomorrow 04:25:24 <SridarK> njohnston: ok perfect - we can coordinate on IRC or email tomorrow - possibly in the afternoon 04:25:26 <njohnston> So above and beyond that the last bit is creating the actual l3 agent extension for FWaaS, which I believe yushiro was working on IIRC 04:25:36 <njohnston> SridarK: Great, just let me know. 04:25:40 <SridarK> ok 04:26:22 <njohnston> #topic Virtual Sprint 04:26:43 <njohnston> So per our discussion last meeting we had discussed doing a virtual sprint thursday and friday of this week 04:26:59 <njohnston> I set up an etherpad for it: https://etherpad.openstack.org/p/fwaas-virtual-sprint-2016-1 04:27:10 <njohnston> please drop in any topics you would like to discuss 04:27:14 <SridarK> njohnston: +1 04:27:45 <SridarK> if we want to do a conference call type setting - i can take care of the logistics 04:27:51 <njohnston> Also, I have no secret sauce as far as how best to communicate - videoconferencing or other options. If people have a preference, or something they would like to offer, please note it in the etherpad. 04:28:55 <njohnston> Do we want to gather at any specific time on Thursday to kick it off? 04:29:18 <SridarK> sounds good - i lean towards a video conference type setting to improve interaction - but we can go on consensus on the etherpad 04:30:02 <SridarK> njohnston: lets decide on the etherpad, i just want to run thru email to make sure abt my calendar 04:30:14 <njohnston> sounds prudent 04:30:32 <njohnston> OK, please folks put your thoughts into the etherpad - that is the best way we can get the most out of this 04:30:39 <SridarK> +1 04:31:17 <njohnston> #topic Open Discussion 04:31:40 <mickeys> I wanted to discuss an alternative implementation for L2 FWaaS v2: OVN 04:31:53 <mickeys> We have been discussing the possibility of FWaaS on OVN internally in IBM. 04:32:08 <mickeys> This made me realize that it is much simpler and much less work to add than the reference implementation. 04:32:24 <mickeys> In OVN itself (OVS repository), we would need to add a second ACL pipeline stage. 04:32:33 <njohnston> mickeys: I had been wondering if it would be easier to do that. 04:32:55 <mickeys> None of the IBM people available for this work other than me know anything about OVN, so I would probably have to generate that patch. I should be able to get to it next week. 04:33:06 <mickeys> The part I have not thought about, and where most of the work is, is on the networking-ovn side. 04:33:07 * njohnston is very interested to see that 04:33:23 <mickeys> Not sure about modularity, how to set up the relationship between networking-ovn and fwaas 04:33:51 <mickeys> Most of the security groups code should be reusable. It transforms security groups into address sets and ACLs. The ACL model already supports deny and priority. 04:33:59 <SridarK> mickeys: that was something i was wondering - if it is easy to switch over to ovn 04:34:17 <SridarK> mickeys: hopefully we can ride on the SG work 04:34:38 <mickeys> Reusability is much higher. Once you have a separate pipeline stage, the code is largely reusable. None of this interleaving chains that you have to deal with in iptables in order to get both features to play. 04:34:51 <njohnston> I like that 04:34:52 <mickeys> I have to convince the OVN leads that a second ACL pipeline stage is a good idea. 04:34:58 <SridarK> mickeys: yes will be cleaner 04:35:13 <SridarK> mickeys: are there some scale impacts or differences ? 04:35:15 <mickeys> They like to consider ideas with code. So I have to write the patch first. 04:35:50 <mickeys> We have found that scale is much better, since it avoids rabbitmq issues and such 04:35:59 <SridarK> mickeys: ok 04:36:06 <njohnston> mickeys: Do you think this stands a shot at making it in Newton? 04:36:08 <mickeys> However, there are some issues around address sets/groups of addresses. 04:36:19 <mickeys> For NB and SB database, this just made it in, which is good. 04:36:28 <mickeys> However, in the data plane they are still expanding to separate rules per IP address. 04:36:46 <mickeys> However, there is cacheing magic in OVS. I have no idea how much that helps performance. 04:37:26 <mickeys> I think there is a chance at Newton. Not sure about resource issues. Interfacing with networking-ovn plugin is a different architecture than the reference implementation. 04:37:49 <mickeys> The OVS OVN part should be easy in the Newton timeframe, as long as they accept the basic concept. 04:38:22 <SridarK> So just to be clear we will continue with the iptables work that mickeys, chandanc and SarathMekala have been going thru, and push this as an alternate approach 04:38:38 <njohnston> always good to have a backup plan 04:38:39 <mickeys> That is probably the safer way to go 04:38:53 <SarathMekala> sounds good 04:38:58 <njohnston> sounds good 04:39:00 <SridarK> ok sounds good, thanks mickeys for bringing this up 04:39:14 <mickeys> The question is who can drive integration with networking-ovn? No chance unless someone takes that up. 04:39:29 <mickeys> Let me ask what the resource picture looks like within IBM, but given the short time frame I am skeptical. 04:40:03 <njohnston> OK, administrative note: I will be on PTO 7/25 to 7/30 and then again 8/3 to 8/5, so I will miss the next 2 meetings. 04:40:13 <SridarK> mickeys: ok i guess IBM and Redhat are the major players and resources there would be the best 04:40:17 <njohnston> SridarK: will you be able to lead them? 04:40:26 <SridarK> njohnston: yes now i am back 04:40:34 <njohnston> SridarK: excellent, thanks! 04:40:35 <SridarK> and will be around 04:40:54 <mickeys> I will also miss the next two meetings, just interruptions on those evenings. I will be around in general, though rather busy with other things. 04:40:55 <SridarK> njohnston: thx for covering the last 2 weeks 04:41:13 <njohnston> Also, have you heard anything from the driver teams on their spinout? 04:42:04 <njohnston> varmour, vyatta, and cisco are what I see in tree 04:42:22 <SridarK> njohnston: yes - i will close on this - this week 04:43:02 <njohnston> SridarK: thanks 04:43:48 <njohnston> Does anyone have anything else they would like to bring up? 04:44:39 <SridarK> I have nothing to discuss 04:44:54 <njohnston> In closing, let me say I am looking forward to seeing you all soon on the virtual sprint later this week! Please keep an eye on that etherpad. 04:45:02 <SridarK> +1 04:45:03 <njohnston> https://etherpad.openstack.org/p/fwaas-virtual-sprint-2016-1 04:45:22 <njohnston> And with that, I bid you a lovely day! 04:45:25 <njohnston> #endmeeting