#openstack-meeting-3 log

04:00:02 <njohnston> #startmeeting fwaas
04:00:03 <SridarK> Hi FWaaS folks
04:00:03 <openstack> Meeting started Wed Aug 17 04:00:02 2016 UTC and is due to finish in 60 minutes.  The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot.
04:00:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
04:00:06 <openstack> The meeting name has been set to 'fwaas'
04:00:13 <njohnston> Hi everyone!
04:00:15 <SarathMekala> Hi all O/
04:00:18 <SridarK> Hi All
04:00:25 <SridarK> been a busy week
04:00:28 <njohnston> indeed!
04:00:36 <SridarK> thx all for pulling together
04:00:44 <yushiro> Hi!
04:00:48 <SridarK> lets get started and move quickly
04:00:56 <SridarK> #topic FWaaS v2
04:01:04 <chandanc_> Hi
04:01:10 <SridarK> njohnston: oops need chair priv pls
04:01:15 <njohnston> oops
04:01:19 <njohnston> #chair SridarK
04:01:20 <openstack> Current chairs: SridarK njohnston
04:01:22 <njohnston> #chair xgerman
04:01:23 <openstack> Current chairs: SridarK njohnston xgerman
04:01:30 <njohnston> #chair yushiro
04:01:31 <openstack> Current chairs: SridarK njohnston xgerman yushiro
04:01:34 <SridarK> #topic FWaaS v2
04:01:38 <yushiro> njohnston, thanks :)
04:01:44 <SridarK> thx njohnston
04:01:54 <SridarK> lets run thru the patches in order
04:02:42 <SridarK> #link https://review.openstack.org/#/c/264489/
04:02:48 <SridarK> for ext
04:02:49 <shwetaap> Hi, I think mine should be first .. i have addressed the comments. I should have the new patch up in like 5 mins.
04:03:00 <njohnston> Excellent, thanks shwetaap!
04:03:06 <SridarK> shwetaap: ok thx - i was just checking
04:03:21 <hoangcx> Hi
04:03:23 <yushiro> shwetaap, great.  I'll review it again.
04:03:27 <SridarK> shwetaap: all comments addressed ?
04:03:46 <SridarK> i will review too, we can try to sign off tonight pending Jenkins
04:04:10 <SridarK> shwetaap: just to be safe - pls rebase b4 u push
04:04:15 <njohnston> Current Jenkins gate queue delay is like 12 hours, so it'll take a bit. :-(
04:04:24 <SridarK> njohnston: sigh
04:04:25 <njohnston> https://twitter.com/openstackstatus/status/765740473327771648
04:04:32 <shwetaap> sure, i was running into git issues. But should be up in a bit. Yea I think there were commens from njohnston, yushiro and SridarK
04:04:51 <shwetaap> i have addressed those.
04:05:07 <SridarK> shwetaap: ok - pls to do UT run too - so we can avoid another spin thru Jenkins
04:05:16 <SridarK> shwetaap: thx
04:05:25 <shwetaap> yea the UT's are passing locally
04:05:37 <SridarK> ok cool lets move on
04:05:41 <SridarK> #link https://review.openstack.org/#/c/311159/
04:05:46 <SridarK> the db patch
04:05:55 <SridarK> njohnston: and i have been working thru this
04:06:07 <njohnston> indeed, and thanks all for the valuable input
04:06:20 <SridarK> ran into an issue with project_id which was painful
04:06:48 <SridarK> so we came to an agreement that we will revert back to tenant_id
04:07:08 <SridarK> had issues with context getting set properly, i think neutron has to do some changes here
04:07:17 <SridarK> yushiro: thx for ur help
04:07:19 <njohnston> After the tenant_id problem, there are some lingering UT issues, but a number of them look like legitimate logic errors.
04:07:33 <yushiro> SridarK, no warries.
04:07:39 <njohnston> So I am grateful for the UTs, they are helping us
04:07:43 <SridarK> njohnston: yes likely - we can pick them off quickly over tomorrow
04:07:47 <yushiro> SridarK, +1 to revert 'tenant_id'.
04:07:49 <njohnston> yes
04:07:58 <SridarK> sigh yes made it almost feel like TDD :-)
04:08:25 <njohnston> TDD - tears driven development :-)
04:08:39 <SridarK> ROTFL !!
04:08:40 <SarathMekala> :D
04:08:44 <yushiro> TDD!
04:09:21 <SridarK> after breaking my head from Sun, i also should thank one my colleagues (Bob Melander) who provided another set of eyes
04:09:40 <yushiro> SridarK, njohnston I've commented into DB patch. sorry for periodic comment. But please check it.
04:09:53 <njohnston> yushiro: The periodic comment is no problem at all. :-)
04:10:06 <SridarK> it is kind of painful to debug the REST errors as we dont kind of know what exactly failed
04:10:09 <yushiro> njohnston, thanks.
04:10:17 <njohnston> yushiro: I have 33000 emails in my Openstack mailbox, one or two more is not a problem.
04:10:28 <SridarK> njohnston: +1 many thx yushiro - it has been very helpful
04:10:54 <yushiro> njohnston, wow, thanks for your kindness.
04:11:30 <yushiro> SridarK, no warries.  I think we shouldn't use context.get_admin_context()
04:11:36 <SridarK> njohnston: & I will push thru on this and we hope we will have it ready by end of day tomorrow
04:11:44 <njohnston> Yes, very optimistic we can get the DB patch merged in the next 24 hours.
04:12:06 <SridarK> yushiro: yes i agree - but thx for ur patience in providing insight - my brain had become mush
04:12:29 <SridarK> njohnston: anything else to add on this
04:12:50 <njohnston> Nothing terribly important, no.
04:12:55 <njohnston> Just little things to chase down
04:13:06 <SridarK> njohnston: ok yes agree
04:13:15 <SridarK> ok moving on next to the plugin
04:13:18 <SridarK> #link https://review.openstack.org/#/c/267046/
04:13:58 <SridarK> i kind of went over to help out on the db patch, so i got back to this today - i think i wired up the basic UT with the right extensions
04:14:27 <SridarK> basically in need to get the UT in place, and a few clean up items on it
04:14:57 <SridarK> the plugin mostly passes things over to the db - where most of the heavy lifting is done
04:15:49 <SridarK> we will keep the old rpc model for now to get things in coordination with mfranc213 & chandanc_ 's patch
04:15:57 <SridarK> which we can get to next
04:16:26 <SridarK> L3 Agent + Driver (mfranc213 & chandanc_ )
04:16:38 <SridarK> #link https://review.openstack.org/#/c/337699/
04:17:02 <njohnston> mfranc213 has been working on the UTs
04:17:04 <SridarK> i think this patch is mostly in place, mfranc213 also added in the UTs
04:17:22 <SridarK> njohnston: identical thoughts :-)
04:17:27 <njohnston> :-)
04:17:41 <SridarK> chandanc_: thx for jumping in with the driver piece
04:17:51 <SridarK> and also running the end to end tests
04:17:59 <chandanc_> no worries, was a oppertunity to learn :)
04:18:11 <SridarK> which gives another measure of confidence over and above the UT
04:18:47 <chandanc_> BTW once you guys are mostly done with the patches i would like to do a final integration test
04:18:53 <SridarK> chandanc_: i think mfranc213 went ahead and added some UT for the driver too - as she communicatd to u
04:18:59 <chandanc_> yes
04:19:09 <SridarK> chandanc_: yes that will be good
04:19:16 <njohnston> chandanc_: absolutely, we should all do so
04:19:27 <SridarK> if we find some issues we can pick it up in one of the later patches too
04:19:48 <SridarK> ok with that we cover our first major push
04:20:06 <SridarK> folks pls feel free to interrupt with any questions or thoughts
04:20:36 <SridarK> ok lets move on
04:20:52 <SridarK> #topic FWaaS v2 Phase 2
04:21:17 <shwetaap> the new patch is uploaded, once the jenkins test completes, please review the patch.
04:21:25 <SridarK> The next critical patch to go in should be the CLI patch
04:21:37 <SridarK> in terms of time lines i believe
04:21:42 <njohnston> agreed
04:21:54 <SridarK> yushiro: i know u have this in progress
04:22:14 <SridarK> is there anything u will need ?
04:22:15 <yushiro> SridarK, Yes.  in CLI patch, I've refrected comments in my local env.
04:22:22 <SridarK> yushiro: ok
04:22:33 <yushiro> I'll push the CLI patch within today.
04:22:44 <SridarK> if it is easy - we can add that to our integration test
04:22:50 <SridarK> yushiro: ok great
04:23:17 <chandanc_> sure can have it in the integration test
04:23:49 <yushiro> I'm considering the command format.  Hence, please feel free comment my next CLI patch.
04:23:57 <njohnston> will do yushiro!
04:24:12 <SridarK> +1
04:24:24 <yushiro> thank you all!
04:24:28 <SridarK> one thing we should think abt is how to reflect the L2 model
04:25:20 <SridarK> because unlike L3, we will need to dynamically add as a VM comes up
04:25:29 <SridarK> something to think abt
04:25:42 <SridarK> may be we can exchg some emails
04:25:51 <chandanc_> I think you will get a call through the L2 ext right ?
04:25:55 <njohnston> I've been looking at the L2 code, and I have some thoughts
04:26:05 <njohnston> yes, should be a create port RPC message will come through
04:26:08 <SridarK> njohnston: yes that is my understanding
04:26:14 <padkrish_> SridarK# aren't we hooking with the OVS neutron agent for port update events to address that?
04:26:36 <SridarK> padkrish_: yes i think thru the L2 ext framework as njohnston is saying
04:26:46 <njohnston> yes +1
04:27:06 <padkrish_> SridarK# yes, that already seems to be there...need to tie in all the pieces
04:27:15 <njohnston> I think it's pretty close
04:27:20 <njohnston> all the pieces are there
04:27:43 <SridarK> njohnston: perhaps we will need to state that we want the fw applied in some for to all VMs in project for example
04:27:49 <padkrish_> #njohnston# if my memory serves me right, we may need to add some parameters to the get_port_details RPC....
04:27:55 <SridarK> since we will not be tied in to nova create
04:27:59 <padkrish_> Will confirm
04:28:22 <njohnston> But yes, let's get an email chain started
04:28:23 <yushiro> padkrish_, Sorry, a trigger method is 'handle_port' ?
04:28:32 <SridarK> njohnston: yes
04:28:59 <padkrish_> yushiro# yes, from agent perspective.
04:29:08 <njohnston> padkrish_: could you email the details that need to be added to get_port_details?
04:29:15 <yushiro> padkrish_, OK. we're on same page :)
04:29:23 <padkrish_> njohnston# sure, will do
04:29:27 <njohnston> thanks!
04:29:45 <SridarK> ok i think we can have a plan in place quickly
04:30:35 <SridarK> njohnston: is already thinking abt this, mfranc213: & padkrish_ are looking at versioned obj - so i think in some combination of folks
04:30:42 <SridarK> we can get this ball rolling
04:30:45 <njohnston> yep
04:31:18 <SridarK> oh and the other piece is the L3 agent ext framework in all of this
04:31:20 <yushiro> yes
04:31:30 <SridarK> njohnston: great congrats on the patch getting merged
04:31:47 <njohnston> thanks!
04:32:03 <yushiro> njohnston, congrats!!
04:32:04 <SridarK> njohnston: now we will also refactor the L3 agent around this correct ?
04:32:18 <njohnston> mfranc213 has put up a PS for refactoring the fwaas L3 extension to use the L3 agent extension mechanism
04:32:21 <njohnston> #link https://review.openstack.org/#/c/355576/
04:32:33 <njohnston> So thanks to her we are ahead of the game there
04:32:44 <SridarK> oh ok great - yes - she did mention this - yes
04:33:01 <SridarK> ok that is covered too
04:33:20 <njohnston> It's on my 'to review' list as soon as we get past the DB patch
04:33:27 <SridarK> ok so we have our work cut out over the next few days
04:33:43 <SridarK> now on the iptables pieces
04:33:56 <SridarK> chandanc_: & SarathMekala: pls go ahead
04:34:15 <SridarK> chandanc_: thx for reaching to get this on kevin's radar
04:34:18 <njohnston> #link https://review.openstack.org/#/c/348177/
04:34:31 <njohnston> I hope we can get attention on it while the midcycle is going on
04:34:44 <chandanc_> We had some back from Kevin on the commit message, he also went through our doc
04:34:48 <SridarK> njohnston: yes - chandanc_ has added it to the etherpad
04:34:54 <SarathMekala> Yep. Will be great if we can get the code reviewed
04:35:02 <chandanc_> yes the etherpad is updated
04:35:20 <chandanc_> I can reachout to Kevin once more for a reminder
04:35:27 <SridarK> hoangcx: many thx for addin Ha Van also
04:35:54 <chandanc_> Is there anyone else who can give us some feedback on the patch ?
04:36:03 <chandanc_> yes SridarK
04:36:20 <hoangcx> SridarK: No problem.
04:36:20 <SridarK> chandanc_: i think u can reach out to Ha Van
04:36:30 <chandanc_> sure will do
04:36:34 <SridarK> hoangcx: pls help make this happen andn many thanks
04:37:19 <hoangcx> SridarK: He is investigating in the design. Will push comments soon (maybe today or tomorrow).
04:37:25 <chandanc_> We are going to start with the driver patch this week
04:37:28 <SridarK> hoangcx: ok great
04:37:38 <SridarK> thx
04:37:41 <yushiro> hoangcx, thanks.
04:37:49 <hoangcx> SridarK: Thank you too :-)
04:38:23 <SarathMekala> We have gone through Yushiro's L2 agent code
04:38:50 <SarathMekala> will reachout to him for integrating with the driver code3
04:39:02 <yushiro> SarathMekala, OK.
04:39:08 <SridarK> SarathMekala: ok thx
04:40:08 <SridarK> and how are things looking with the driver - should that be straightfwd along the lines of the L3
04:40:50 <SridarK> once u have the neutron piece in place and the L2 Agent piece - the driver as such will bind the rules to a VM port
04:40:51 <chandanc_> I think it will be a bigger change then the l3 agent, We have looked at Mickeys patch as referance
04:40:59 <SridarK> chandanc_: ok
04:41:08 <chandanc_> yes SridarK
04:41:48 <SridarK> pls let us know how we can help
04:41:53 <njohnston> +1
04:41:54 <chandanc_> sure
04:42:10 <SarathMekala> sure.. will ping you for any info
04:42:20 <SridarK> hoangcx: we will keep Ha Van in the loop for any suggestions or help too
04:42:23 <SridarK> as time is short
04:42:38 <SarathMekala> ok
04:42:56 <hoangcx> SridarK: Sure. He is yours :-)
04:42:56 <SridarK> ok anything else on the driver pieces
04:43:01 <SridarK> hoangcx: thx
04:43:04 <SridarK> :-)
04:43:26 <SridarK> chandanc_: & SarathMekala: pls reach out
04:43:37 <SridarK> u heard it from hoangcx: :-)
04:43:42 <chandanc_> No , we will start by reaching out to Yushiro
04:43:48 <SarathMekala> :D.. sure
04:43:59 <SarathMekala> we will be coming out with a patch soon
04:44:04 <SridarK> ok cool
04:44:29 <SridarK> if nothing else lets move on
04:44:55 <SridarK> #topic new cores
04:45:29 <SridarK> as in the email congrats and thx to njohnston: & yushiro: for taking on the additional responsibilities
04:45:41 <SridarK> this will enable our velocity
04:45:47 <padkrish_> +1
04:45:48 <SarathMekala> Congrats njhonston & yushiro
04:45:54 <chandanc_> Congrats to Nate and Yushiro
04:45:57 <njohnston> Thanks for the trust.  Please let me know, anyone, if I can help you.
04:46:14 <hoangcx> congrats to Nate and Yushiro :-)
04:46:18 <yushiro> Thank you all!  I'll do my best to realize FWaaS v2!!
04:46:25 <SridarK> +1
04:46:38 <SridarK> #topic open discussion
04:47:11 <SridarK> firstly many thx for the cohesiveness of the team - we are all kind of all over the place - helping out as needed
04:47:44 <SridarK> we will probab work in this fashion with a little lack of structure to push things fwd
04:47:52 <njohnston> +100
04:48:13 <yushiro> :)
04:48:37 <yushiro> Hi, I have 1 thing about firewall_group status.  I'd like to sync my understanding with you.
04:48:57 <SridarK> the next few days are going to be crazy. Lets target by Fri to get things in to give us a little buffer
04:49:14 <SridarK> yushiro: yes pls
04:49:19 <SridarK> (by next week Fri)
04:50:05 <yushiro> yes, in my understanding, the 'status' of firewall_group relates port association.
04:50:31 <SarathMekala> is it only L3 for next Fri?
04:51:12 <yushiro> no ports association -> "INACTIVE",  associated ports -> "ACTIVE", waiting for update -> "PENDING_UPDATE", waiting for delete -> "PENDING_DELETE"
04:51:16 <SridarK> yushiro: yes and also to reflect that the driver has applied the changes and it is marked ACTIVE
04:51:28 <SridarK> yushiro: yes exactly
04:52:23 <SridarK> SarathMekala: no the week of Aug 29 is Feature Freeze - i would not count on that week
04:52:31 <SridarK> njohnston: am i correct ?
04:52:32 <yushiro> SridarK, OK, thanks. So, how about current situation?  firewall_group has no ingress_firewall_policy_id and egress_firewall_policy_id and associated with ports.
04:52:46 <njohnston> SridarK: yes
04:53:20 <SridarK> yushiro: that is interesting - we cannot really apply anything
04:53:40 <SridarK> earlier the policy was a mandatory attribute
04:54:22 <SridarK> now we have a default of NULL - which makes sense as we need not have both ingress and egress
04:54:26 <yushiro> SridarK, Yes.  That's is my opinion.  How about changing mandatory params either 'ingress_firewall_policy_id' or 'egress_firewall_policy_id'?
04:54:53 <SridarK> yushiro: yes
04:55:09 <SridarK> we can do the validation in the plugin
04:55:27 <SridarK> we can still keep the attribute spec as optional
04:55:47 <SridarK> but the plugin can check if either one is present
04:55:57 <yushiro> SridarK, OK. I understand.
04:56:00 <SridarK> and we have to handle the update case on fw grp
04:56:12 <SridarK> what if we ingress policy only
04:56:16 <yushiro> SridarK, Sure. we also take care about it.
04:56:31 <SridarK> and now we update the fw grp and try to remove it
04:56:37 <SridarK> we can fail that
04:58:02 <SridarK> we can also create a fwg and if no policy we can keep it INACTIVE and we can fail if user tries to bind ports to  a fwg that has no policy
04:58:25 <SarathMekala> yushiro: Earlier we had an option to start the firewall with state DOWN. Hope its taken care with Firewall groups as well.
04:58:28 <yushiro> SridarK, ah, yes! it's better.
04:58:37 <SridarK> great point yushiro: - we are almost out of time - shall we continue on email
04:58:48 <SridarK> or on irc
04:58:57 <yushiro> SridarK, sure. I'll send e-mail to all.
04:58:59 <SridarK> ok we are almost at time
04:59:02 <SridarK> yushiro: +1
04:59:11 <njohnston> +1
04:59:14 <SridarK> we can add the L2 discussion also
04:59:26 <SridarK> ok thanks again all
04:59:35 <SridarK> lets get those patches merging
04:59:50 <njohnston> yes!
04:59:59 <SridarK> bye all
05:00:01 <njohnston> #endmeeting