04:00:13 <njohnston> #startmeeting fwaas
04:00:14 <openstack> Meeting started Wed Aug 24 04:00:13 2016 UTC and is due to finish in 60 minutes.  The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot.
04:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
04:00:18 <openstack> The meeting name has been set to 'fwaas'
04:00:18 <xgerman> o/
04:00:24 <yushiro> hi
04:00:25 <chandanc_> Hello All
04:00:30 <njohnston> #chair xgerman yushiro SridarK
04:00:31 <openstack> Warning: Nick not in channel: SridarK
04:00:32 <openstack> Current chairs: SridarK njohnston xgerman yushiro
04:00:41 <njohnston> Hello all!
04:00:49 <njohnston> #link https://etherpad.openstack.org/p/fwaas-meeting Meeting agenda
04:01:15 <SarathMekala> Hi all O/
04:01:58 <SridarK_> Hi All
04:02:11 <padkrish> hello all
04:02:48 <SridarK_> shall we get started
04:03:07 <SridarK_> #topic FWaaS v2
04:03:22 <SridarK_> njohnston: oops #chair pls
04:03:33 <njohnston> #chair SridarK_
04:03:34 <openstack> Current chairs: SridarK SridarK_ njohnston xgerman yushiro
04:03:42 <njohnston> Sorry, I had it without the underscore
04:03:47 <SridarK_> thx njohnston:
04:03:49 <SridarK_> aah ok
04:03:59 <SridarK_> #topic FWaaS v2
04:04:33 <SridarK_> lets do a quick run thru, this has been an extremely productive week - many thx to all for jumping in where ever needed
04:05:26 <SridarK_> njohnston: many thx for capturing the priorities and status at: #link https://etherpad.openstack.org/p/fwaas-meeting
04:05:43 <njohnston> yw, I figured it would help us focus and prioritize
04:06:17 <yushiro> njohnston: Thanks.  it's so helpful to understand.
04:06:29 <SridarK_> absolutely, and as in the etherpad we are almost thru the "First Wave" :-)
04:07:10 <SridarK_> we are in a good position to almost have the L3 end to end going
04:07:36 <njohnston> Shall we go through each patch and get a status?  If there are any blocking items we can talk about that as well.
04:07:47 <SridarK_> the last part #link https://review.openstack.org/337699 is almost ready - i think we hit some minor integration issues
04:07:52 <SridarK_> njohnston: +1
04:08:12 <SridarK_> lets start with this ^^ patch
04:08:46 <njohnston> I believe Chandan is working on the fixes now; I believe that once those are in it will be ready to merge
04:08:50 <SridarK_> mfranc213: is out on PTO but that has not stopper her from still getting some things in
04:09:08 <njohnston> She is unstoppable :-)
04:09:13 <SridarK_> njohnston: yes chandanc_: i put in some comments
04:09:14 <xgerman> :-)
04:09:17 <chandanc_> njohnston, yes i am testiung the changes required to fix the issues reported by SridarK_
04:09:18 <SridarK_> :-)
04:09:29 <yushiro> chandanc_: good
04:09:37 <SridarK_> chandanc_: great thx very much to take a look, i know u have ur plate full as is
04:09:54 <njohnston> chandanc_: Please let me know if you need any assistance
04:10:04 <chandanc_> sure, will send an update ASAP
04:10:15 <SridarK_> essentially the issue u reported on the rpc failures was that we were using the v1 agent
04:10:21 <chandanc_> njohnston, sure will let know
04:10:43 <SridarK_> one approach is to use an ini file to decide on which version to use
04:11:17 <SridarK_> but with the L3 Agent ext this may be not reqd and as we remove the workaround - it will be moot
04:11:34 <njohnston> I agree, better to leave things as simple as possible
04:11:36 <SridarK_> workaround = the L3Agent workaround
04:11:53 <SridarK_> ok good - so shall we just load in the new agent
04:12:32 <SridarK_> by making a change in: https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/cmd/eventlet/agents/fw.py#L33
04:12:46 <njohnston> ok
04:13:17 <chandanc_> sure
04:13:22 <SridarK_> if we are going to refactor this - soon - may be investing too much time here is moot
04:13:46 <SridarK_> chandanc_: could u pls put in a TODO around here - indicating that is a temp workaround
04:13:59 <chandanc_> sure will do that
04:14:05 <SridarK_> the one issue is that we will hit tempest failures
04:14:36 <SridarK_> as devstack will pick up the new plugin + agent but run the old version of tempest
04:14:43 <njohnston> then perhaps we should do nothing, since we don't hit temoest failures not
04:14:53 <njohnston> tempest failures now
04:15:11 <SridarK_> njohnston: yes and we can just change that line when we run the tests
04:15:25 <SridarK_> run the tests manually
04:15:36 <njohnston> as long as it is set for success in the gate :-)
04:16:05 <SridarK_> i think that shd be ok as the gate will run v1
04:16:17 <njohnston> good
04:16:20 <SridarK_> once we refactor to the agent ext
04:16:40 <SridarK_> then we will load in the new version of the agent
04:17:02 <SridarK_> and we keep v1 running in the old model /
04:17:15 <njohnston> sounds good
04:17:25 <yushiro> I understand.
04:17:28 <SridarK_> ok i think we need to think this thru more but lets not waste too much time
04:17:31 <SridarK_> here
04:17:37 <SridarK_> we can pick up an email thread
04:17:59 <SridarK_> chandanc_: are u ok with the changes
04:18:34 <SridarK_> we can discuss more after the mtg or after we have run thru the topics and we can pick up
04:18:46 <njohnston> Sounds good.  Shall we move on?
04:18:46 <chandanc_> yes, so i will  have the workaround with the TODO comment right ?
04:18:50 <SridarK_> ok so i think we have a plan for this
04:19:11 <SridarK_> chandanc_: lets pick up at the end of mtg
04:19:16 <chandanc_> sure
04:20:16 <SridarK_> njohnston: can u run thru the L3 agent ext patches
04:20:37 <njohnston> Sure
04:20:43 <njohnston> #link https://review.openstack.org/357503  L3 agent extension API object
04:21:15 <njohnston> That one is looking good, has numerous +1s and I have some cores I will hit up for +2 tomorrow morning
04:21:20 <njohnston> no outstanding issues
04:21:48 <yushiro> it's so 'LGTM' :)
04:21:49 <njohnston> It gives the l3 agent extensions the ability to call the router_info object for whatever information they may need, which  in the cafe of FWaaaS is a lookup for router ID to namespace
04:21:50 <SridarK_> njohnston: yes it looked good to me - i think this will address our need
04:22:09 <njohnston> #link https://review.openstack.org/359221  Fix bug in L3 agent extension manager
04:22:27 <njohnston> This is just a minor fix, a backport of an issue found in similar L2 code
04:22:41 <njohnston> it already has one +2
04:22:56 <SridarK_> njohnston: ok good, i will look as well
04:23:27 <SridarK_> njohnston: with these - i think we will be ready with the framework
04:23:38 <njohnston> #link https://review.openstack.org/#/c/355576/ FWaaS v2 L3 Agent Extension RPC Callbacks
04:23:49 <njohnston> This is my main item of work tomorrow is getting it fixed up
04:23:58 <njohnston> It needs some work
04:24:56 <SridarK_> njohnston: ok with that we can undo the workaround (at least for v2)
04:25:08 <SridarK_> if we can do that selectively
04:25:09 <njohnston> Yes, the last one includes undoing the workaround
04:25:19 <SridarK_> and keep v1 as is
04:25:23 <njohnston> because without undoing the workaround there is no way to really test it
04:25:38 <SridarK_> yes
04:26:18 <SridarK_> we can spend some time tomorrow on how best keep the v1 code around and v2 - i think we have spent some time already
04:26:27 <SridarK_> here
04:26:29 <njohnston> sounds good
04:27:15 <SridarK_> ok i think we are on track here
04:27:29 <SridarK_> anything else to add njohnston: ?
04:27:38 <SridarK_> on this sub topic
04:27:39 <njohnston> Nope, that covers it.
04:27:44 <SridarK_> ok great
04:27:57 <SridarK_> yushiro: on ur patch sets
04:28:01 <yushiro> OK
04:28:10 <yushiro> #link https://review.openstack.org/#/c/351582/
04:28:21 <yushiro> Add FWaaS V2 commands
04:28:24 <SridarK_> yes i will get on that
04:28:48 <SridarK_> yushiro: one thing - how do we represent L2
04:28:54 <SridarK_> port associations
04:29:07 <SridarK_> may be a quick email
04:29:27 <SridarK_> and we can try to close on that by tomorrow - so u can update the patch accordingly
04:29:53 <SridarK_> with L3, the port exists and we add the fwg to it
04:30:12 <yushiro> SridarK_, sorry. you said that about L2-agent patch?
04:30:23 <xgerman> can’t we just create the port implicitly?
04:30:27 <SridarK_> with VMs - if we look at the Sec Grp workflow - as the VM comes up  we will need to bind it
04:30:47 <SridarK_> yushiro: yes sorry there some L2 Agent overlap here too
04:30:58 <SridarK_> but u will need to provide some CLI for that
04:31:16 <SridarK_> hence bringing it up in this context - lets discuss both together
04:31:17 <yushiro> SridarK_: OK, I understand.
04:32:01 <SridarK_> we may want to say that for any VM that comes up a specified tenant or specified subnet - appl the fwg
04:32:30 <xgerman> yep, default fwg
04:32:36 <SridarK_> so when the port create notification comes in - we can check if this port is on a subnet of interest and apply
04:32:39 <SridarK_> xgerman: yes
04:33:16 <yushiro> SridarK_: ah, yes. in L2-agent side, we have to trigger POST/PUT the port.
04:33:32 <SridarK_> yushiro: yes
04:33:55 <SridarK_> L2 agent triggers a notification to plugin - which will do the actual POST/PUt
04:34:25 <SridarK_> we talked abt this earlier with the spec - just want to be sure on the CLI spec for that
04:34:37 <SridarK_> so u can close out the CLI spec
04:35:26 <yushiro> SridarK_: OK.  exactly, I have to implement port association for CLI but I don't them now.
04:35:27 <chandanc_> SridarK_, I think a mail chain will be good to discuss this, will give us some time to think
04:35:31 <SridarK_> shall we do a quick email sync so everyone has a chance to take a look and provide some comments
04:35:38 <SridarK_> chandanc_: ditto :-)
04:35:40 <chandanc_> ^ +1
04:36:05 <yushiro> Thanks all.  It is very helpful.
04:36:23 <SridarK_> yushiro: would u like me to send  an email to all of us ?
04:36:50 <yushiro> SridarK_: Yes, please.
04:36:59 <SridarK_> ok will do
04:37:22 <SridarK_> yushiro: sorry i distracted, other things on the CLI patch
04:37:53 <SridarK_> that u would like to discuss
04:38:11 <yushiro> OK. in CLI patch, I was commented from amotoki and need to fix to align OSC plugin.
04:38:41 <yushiro> I'll fix it today but some discussion is necessary about port-association.
04:38:50 <SridarK_> yushiro: ok perfect
04:38:52 <yushiro> So, let's discuss in e-mail.
04:39:04 <SridarK_> yushiro: i think on the L3 we are good
04:39:15 <SridarK_> ok lets move on then
04:39:41 <SridarK_> on the L2 Patch
04:39:45 <SridarK_> https://review.openstack.org/323971
04:39:51 <SridarK_> (L2 Agent)
04:40:08 <njohnston> #link https://review.openstack.org/323971  FWaaS v2 extension for L2 agent
04:40:46 <yushiro> In L2 agent patch, I couldn't update yesterday, sorry.  I'll updating now.
04:41:03 <SridarK_> yushiro: ok no that is good -
04:41:18 <padkrish> yushiro# can we discuss about the patch in IRC after the meeting?
04:41:38 <yushiro> padkrish: Sure. Let's discuss in oepnstack-fwaas channel.
04:41:47 <padkrish> ok
04:42:26 <SridarK_> ok great padkrish: if u can help there it will be great - but yushiro: and urself can coordinate
04:42:46 <yushiro> SridarK_: OK.
04:43:03 <padkrish> SridarK_# sure
04:43:09 <SridarK_> yushiro: are there any major blockers with the L2Agent patch ?
04:44:14 <yushiro> SridarK_: hmm, currently it's OK.
04:44:18 <SridarK_> As in the etherpad, njohnston: did some digging and felt that we can push the versioned obj piece to the 3rd wave
04:44:39 <SridarK_> i think there are no dependencies with the L3 agent Ext
04:45:06 <njohnston> The two patches I am most interested in, which are 2.1 and 2.2 on the agenda, we haven't talked about yet
04:45:09 <SridarK_> yushiro: i hope with L2 Agent also u will be okay without versioned obh
04:45:21 <yushiro> SridarK_: Yes, I think so.
04:45:36 <SridarK_> njohnston: ok trying to move down the stack :-)
04:45:43 <SridarK_> ok so we are good on L2
04:45:47 <njohnston> SridarK_: thanks :-)
04:45:55 <SridarK_> ok lets get to the drivers
04:46:06 <SridarK_> chandanc_: _SarathMekala_: pls go ahead
04:46:23 <njohnston> #link https://review.openstack.org/333338  Make ip_conntrack.IpConntrackManager a singleton
04:46:34 <njohnston> #undo
04:46:35 <openstack> Removing item from minutes: <ircmeeting.items.Link object at 0x7f5bbfbb9dd0>
04:46:38 <njohnston> #link https://review.openstack.org/348177  IPtables enhancement for co-existence of SG and FWaaS v2 drivers
04:46:48 <chandanc_> I got some minor comments on the IP conntrack manager patch from Sean
04:47:28 <njohnston> I am worried about this patch just because Sean's comment that the neutron people would be loath to merge something of such complexity just before the deadline.
04:47:46 <njohnston> So I think we need to engage the neutron community more vigorously
04:48:10 <_SarathMekala_> Sure
04:48:16 <njohnston> I plan on pinging kevinbenton and armax tomorrow on it
04:48:18 <chandanc_> yes, I have not got any major comments from Kevin
04:49:14 <xgerman> njohnston we might get an extension for that
04:49:24 <njohnston> chandanc_: Other than reviewer attention, any blockers?
04:49:28 <xgerman> so involving armax is wise
04:49:30 <njohnston> xgerman: Why do you think that?
04:49:42 <njohnston> that we might get an extension
04:49:52 <xgerman> neutron is usually slow with reviewing...
04:49:54 <chandanc_> We have done some tests with the SG driver initially
04:50:13 <chandanc_> it seemd to work fine
04:50:15 <xgerman> and we already have code…
04:50:28 <_SarathMekala_> no issues as per our tests... Ha Van Tu did some tests and said they worked as well
04:50:33 <chandanc_> we will not know till we have the L2 agent ext from fwaas ready
04:50:59 <_SarathMekala_> An snip from his comment "I have applied your patch for SG. It works well and matches your expectations for SG chains."
04:51:03 <njohnston> chandanc_: but at least we can feel confident saying there is no negative impact to SG
04:51:14 <chandanc_> sure we do
04:51:22 <SridarK_> yes this is a tight squeeze but lets push for it
04:51:28 <xgerman> +1
04:51:33 <njohnston> +100
04:51:40 <xgerman> and file for the extension if we need to
04:51:49 <yushiro> Thanks hoangcx and tuhv.
04:51:58 <SridarK_> yushiro: +1
04:52:04 <chandanc_> +1
04:52:14 <_SarathMekala_> +1 hoang and tuhv
04:52:17 <hoangcx> yushiro: NP. Our pleasure
04:52:25 <njohnston> let's also try hard to clean up the jenkins failures
04:52:33 <njohnston> so that it looks nice and mergeable
04:52:47 <SridarK_> meanwhile, lets also get the basic L2 driver in place
04:52:57 <SridarK_> so we can do some testing
04:53:35 <SridarK_> chandanc_: & _SarathMekala_ : we understand that this is a tough problem and thx for picking this up and running with it
04:53:47 <njohnston> Yes, thanks very much, it is a difficult one!
04:53:47 <chandanc_> yes, we have started to work on this, we should have thing ready by this week
04:54:00 <_SarathMekala_> I had a question in this regards
04:54:02 <SridarK_> chandanc_: ok great
04:54:09 <SridarK_> _SarathMekala_: yes pls go ahead
04:54:33 <_SarathMekala_> when we translate a FW group or FW address group they map to a IPset on IPtables
04:54:57 <_SarathMekala_> as these artifacts can be shared, a reference counter should be maintained on the agent side
04:55:37 <SridarK_> _SarathMekala_: the instances will be tracked by the plugin
04:55:38 <_SarathMekala_> the driver will not track the reference count for ipsets... hope you are ok with this
04:56:06 <njohnston> _SarathMekala_: And that reference counter would be regenerated on agent reimposing the desired iptables?
04:56:08 <_SarathMekala_> Yeah.. plugin
04:56:22 <SridarK_> i dont think we shd track it in the agent either (i guess we can but u have to think of it as a cache)
04:56:38 <SridarK_> the src of truth will be in the plugin db
04:56:40 <njohnston> that should have said "on agent restart"
04:56:44 <SridarK_> as agents can restart
04:56:50 <SridarK_> ditto :-)
04:57:08 <chandanc_> +1
04:57:28 <SridarK_> ok we are running short on time
04:57:31 <_SarathMekala_> +1 cool
04:58:02 <xgerman> SridarK_ +1
04:58:06 <njohnston> There is once change that has no code dropped in gerrit yet, which is the "L2 iptables driver"
04:58:11 <SridarK_> i think we managed to get some major things done over the last week, i think we have some stretch goals for the next few days
04:58:46 <njohnston> SridarK_: Do you think we can copy the FWaaS v1 iptables driver as a start and modify it from there?
04:59:10 <SridarK_> njohnston: that may not be possible
04:59:19 <SridarK_> chandanc_: lets discus this
04:59:30 <chandanc_> sure,
04:59:51 <chandanc_> njohnston, the fwaas v1 driver is for l3 it would not help us much
04:59:51 <SridarK_> ok folk lets carry over any discussion to openstack-fwaas
05:00:08 <chandanc_> but yes , we can start from mickeys code as a starting point
05:00:15 <chandanc_> sure SridarK_
05:00:20 <xgerman> ok, I will cut out ;-)
05:00:22 <yushiro> oh, it's time :)
05:00:28 <SridarK_> chandanc_: ok that will be good
05:00:33 <njohnston> Thanks to Bob melander for pitching in: https://review.openstack.org/#/c/359343/
05:00:34 <SridarK_> ok all many thanks
05:00:40 <SridarK_> njohnston: yes +1
05:00:44 <xgerman> +1
05:00:45 <yushiro> njohnston: ++1
05:00:48 <SridarK_> that is going well
05:00:56 <SridarK_> i synced with Bob in the AM
05:01:08 <SridarK_> njohnston: i will discuss more on that ps tomorrow with u
05:01:14 <njohnston> spunds good
05:01:15 <SridarK_> lets end
05:01:18 <njohnston> thanks all, good night
05:01:21 <njohnston> #endmeeting