14:00:05 <njohnston> #startmeeting fwaas 14:00:08 <openstack> Meeting started Tue Jan 17 14:00:05 2017 UTC and is due to finish in 60 minutes. The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:12 <openstack> The meeting name has been set to 'fwaas' 14:00:30 <yushiro> Hi! 14:00:31 <njohnston> #chair xgerman yushiro SridarK 14:00:40 <openstack> Warning: Nick not in channel: SridarK 14:00:41 <njohnston> Good morning FWaaS friends 14:00:41 <openstack> Current chairs: SridarK njohnston xgerman yushiro 14:00:45 <xgerman> o/ 14:00:52 <njohnston> Let's wait a moment for everyone to arrive 14:00:54 <SarathMekala> Hi all O/ 14:00:58 <hoangcx> hi all 14:01:02 <tuhv> hi, 14:01:05 <chandanc_> Hello all 14:02:08 <njohnston> ok, let's get started 14:02:18 <njohnston> #topic Stadium Compliance 14:02:28 <njohnston> We had a huge set of merges last week 14:02:35 <yushiro> Yes. 14:02:38 <njohnston> congratulations all - just about everything is now done! 14:02:51 <xgerman> + 1 14:03:04 <yushiro> Thank you 14:03:04 <njohnston> api definitions are now merged into neutron-lib, as is the api-ref and the OSC 14:03:36 <njohnston> neutron-lib was just released, so this morning I will spin a patch to migrate to using the neutron-lib api definition 14:04:07 <njohnston> The only thing left to do is something that I can now start looking at, which is the fullstack work - as soon as the python-neutronclient release happens 14:04:24 <xgerman> awesome 14:04:27 <njohnston> anything else on the Stadium? 14:04:49 <SridarK> Hi All Sorry to be late connectivity issues 14:04:53 <yushiro> Hi SridarK :) 14:04:56 <njohnston> no problem SridarK! 14:05:30 <njohnston> OK, so that covers the Neutron Stadium. Next up... 14:05:35 <njohnston> #topic FWaaS v2 14:06:02 <njohnston> #link https://review.openstack.org/348177 neutron: IPtables enhancement for co-existence of SG and FWaaS v2 drivers (Chandan/Sarath) 14:06:15 <njohnston> I saw you spun a new patchset for this 14:06:18 <njohnston> can 14:06:21 <njohnston> chandanc 14:06:23 <njohnston> (sorry) 14:06:34 <njohnston> looks like it is still having issues with the tests 14:06:47 <chandanc_> ya, i was able to do some tests with the patch 14:06:54 <njohnston> I worked a bit this weekend on sorting out the output of the iptables dump to figure out the differences 14:07:01 <njohnston> it's difficult 14:07:16 <chandanc_> njohnston, i am mostly done with the UTs 14:07:26 <chandanc_> will be sending a patch with the fixes 14:07:39 <chandanc_> mostly by today 14:07:44 <njohnston> Super! 14:07:47 <SridarK> chandanc_: great 14:08:03 <chandanc_> ya, actually i was ablr to run some tests with fwaas-v1 14:08:09 <chandanc_> that help a lot 14:08:27 <njohnston> excellent 14:08:32 <SridarK> with this hopefully we can quickly move fwd on L2 integration 14:08:35 <xgerman> +1 14:08:37 <njohnston> reminder: next week is feature freeze for Ocata 14:08:42 <chandanc_> i might still ask for some help in testing, will send a mail with the details 14:08:51 <njohnston> so if you need any help please reach out sooner rather than later 14:08:55 <xgerman> +1 14:09:06 <SridarK> how quickly time flies esp on a shorter cycle :-( 14:09:08 <chandanc_> yes, will do 14:09:21 <yushiro> yes very shorter.. 14:09:38 <njohnston> next is 14:09:39 <njohnston> #link https://review.openstack.org/361071 neutron-fwaas: FWaaS v2 driver for L2 ports (Chandan/Sarath) 14:09:48 <njohnston> I believe I saw a PS from padkrish there 14:10:07 <njohnston> er, no, I am wrong, it was 14:10:07 <njohnston> #link https://review.openstack.org/323971 neutron-fwaas: FWaaS v2 extension for L2 agent (Yushiro/Paddu) 14:10:09 <SridarK> no that was for the L2 agent 14:10:42 <chandanc_> i had a look at the L2 patch as well, the patch looks good in terms of UT but will come to know once integration begins 14:11:06 <njohnston> So let's talk about the driver - once the neutron change happens, is this pretty much ready to go? 14:11:45 <chandanc_> it seems nearly, but more when i can git it a test run 14:11:50 <SridarK> chandanc_: since we cannot create dependency, perhaps we need to handcraft something for some manually testing 14:12:29 <chandanc_> SridarK, please let me know if you have some idea on the test part, it will be of help 14:12:58 <SridarK> chandanc_: yes we can focus on functional correctness as step 1 14:13:11 <chandanc_> ya agree 14:13:30 <SridarK> chandanc_: we can discuss some more on this 14:13:40 <chandanc_> sure 14:13:43 <njohnston> ok 14:13:54 <SridarK> chandanc_: will ping u later 14:13:58 <reedip_> hi 14:14:05 <reedip_> did I miss anything 14:14:06 <chandanc_> sure SridarK 14:14:10 <SridarK> reedip_: hi 14:14:15 <yushiro> hi reedip_ 14:14:17 <xgerman> hi 14:14:21 <njohnston> and switching back to the L2 extension, how does that look yushiro? SridarK, any recent communications from padkrish? 14:14:42 <SridarK> njohnston: yes padkrish made some updates 14:15:23 <SridarK> yushiro: sorry i could not sync with u last week but we can set a time today eve (Pacific) and ur Wed morn 14:15:47 <yushiro> SridarK, njohnston, I'm testing/editting l2 agent patch on my local devstack now. OK! 14:15:50 <SridarK> i will ping padkrish for a time and let u know - we can try to close out any remaining pieces quickly 14:16:03 <njohnston> excellent 14:16:04 <yushiro> SridarK, Sure. 14:16:20 <SridarK> once this is in we can be ready for the L2 driver piece 14:16:52 <njohnston> anything else on FWaaS v2? 14:17:20 <njohnston> #topic neutron-lib 14:17:54 <njohnston> Not much to say here, just that with the release of neutron-lib there'll be a patch or two that start making use of things we have added to it. 14:18:37 <xgerman> yeah! 14:18:37 <njohnston> Not really pushing anything else forward in neutron-lib at the moment; once Ocata is locked I will update the punchlist. 14:19:08 <njohnston> moving on 14:19:09 <njohnston> #topic performance improvement for v1 14:19:23 <tuhv> hi 14:19:35 <njohnston> tuhv: you have the floor 14:19:46 <tuhv> i updated my patch to be independent on Neutron 14:19:55 <tuhv> it is ready for review 14:20:08 <njohnston> excellent, I will take a look at it, probably tomorrow 14:20:15 <yushiro> tuhv, Sure. will do tomorrow. 14:20:17 <tuhv> thanks 14:20:32 <njohnston> thanks for the link to the testing scripts that you put in the meeting notes, that is very helpful 14:20:41 <tuhv> you can take my guide on github 14:20:52 <tuhv> njohnston, thanks 14:21:01 <hoangcx> njohnston, It is really appreciated. 14:21:03 <njohnston> #link https://github.com/uttu90/FWaaSNetlink - Reference scripts for testing netlink performance 14:21:25 <njohnston> OK, next up 14:21:29 <njohnston> #topic bugs 14:21:53 <njohnston> yushiro has been finding a number of bugs - an outstanding effort, to be sure 14:22:10 <yushiro> njohnston, You're welcome. Please talk about some bugs. 14:22:14 <SridarK> yushiro: nice 14:22:27 <SarathMekala> +1 Great 14:22:28 <njohnston> yushiro: You've detailed these in the meeting notes, I think my first question is, have you files bug reports in Launchpad for these? 14:22:31 <xgerman> +1 14:22:38 <reedip_> Yes, I get an email everyday from Launchpad that yushiro logged a bug ;) 14:22:58 <njohnston> :-) 14:23:22 <njohnston> yushiro: If you have created changes to fix these could you link to them as well? 14:23:23 <yushiro> njohnston, 1, 2 not yet. Regarding 1, I need agreement. 14:23:30 <njohnston> To go through the bugs: 14:23:37 <njohnston> 1. Default parameter of 'protocol' in firewall-rule is 'ICMP' (It seems 'tcp' is more useful) 14:23:52 <njohnston> I agree that if there is to be a default, tcp should be the default. 14:23:57 <xgerman> +1 14:24:07 <SarathMekala> +1 14:24:15 <yushiro> njohnston, Thanks. So, we need to file bug-report about '1' 14:24:23 <xgerman> yep 14:24:34 <reedip_> TCP makes more sense 14:24:38 <SridarK> yushiro: do u recall if this behavior is spilling over from v1 ? 14:25:28 <yushiro> SridarK, hmm, sorry I verified only v2 14:25:40 <yushiro> SridarK, I'll check the behavior on v1. 14:25:40 <SridarK> yushiro: np - will take a look 14:25:53 <njohnston> Ok, so we might check v1 if we have time, but more important to fix it in v2 14:26:08 <njohnston> Bug 2. 'public' visibility does not run correctly: non-admin user cannot see 'public' resource. 14:26:32 <SarathMekala> I have a v1 setup.. will check and confirm 14:26:33 <njohnston> this seems like a significant problem 14:26:38 <yushiro> njohnston, Thanks. I think bug2 is definitely bug.(not filed bug-report) 14:26:57 <SridarK> hmm indeed this is a serious issue 14:27:05 <SridarK> SarathMekala: ok thx 14:27:06 <xgerman> +1 14:27:25 <xgerman> not sure if that would be fixed by policy.json? 14:27:43 <yushiro> xgerman, regarding bug2, not fixed. 14:27:49 <xgerman> ok 14:27:56 <njohnston> I doubt that it is a policy.json issue 14:28:09 <yushiro> njohnston, I think so too. 14:28:48 <njohnston> so definitely file a bug for this and we can work on it urgently 14:29:20 <SridarK> yushiro: in what u have seen - do u think we are missing some validation logic for this ? 14:29:25 <xgerman> we should check with policy 14:29:32 <xgerman> it seems we have a rule for that 14:29:44 <SridarK> yes i am wondering too 14:29:46 <yushiro> SridarK, sorry. about bug2? 14:29:58 <xgerman> "get_firewall": "rule:admin_or_owner or rule:shared_firewalls", 14:30:14 <SridarK> yushiro: yes Bug2 14:30:17 <xgerman> yes 14:30:36 <njohnston> yes anyone should be able to get a shared firewall 14:30:49 <njohnston> so it might be as easy as fixing that, that is good 14:30:49 <yushiro> SridarK, sorry, I'm not sure. will check fwaas source code. 14:31:04 <SridarK> yushiro: np - i will check too on this 14:31:17 <njohnston> Bug 3. Firewall policy and rule are not enforced policy (Non-admin user can create 'firewall_policy' or 'firewall_rule' with 'public' attribute) 14:31:32 <njohnston> Yushiro notes: 14:31:49 <njohnston> I applied https://review.openstack.org/#/c/404942/ but not changed. Result is as follows: 14:31:49 <njohnston> - firewall_group: http://paste.openstack.org/show/595195/ 14:31:49 <njohnston> - firewall_policy: http://paste.openstack.org/show/595198/ 14:31:51 <njohnston> - firewall_rule: http://paste.openstack.org/show/595196/ 14:32:10 <reedip_> njohnston : so a non-admin user cannot create shared firewall_rule/policy ? 14:32:25 <yushiro> Regarding bug3, I checked applying xgerman's patch and not applying patch but unfortunately, it was same result. 14:32:37 <xgerman> :-( 14:32:48 <SridarK> i am wondering if we have some relation to Bug2 14:32:53 <njohnston> reedip_: correct, the way we have implemented it right now, you need to be admin to create a shared firewall_policy or firewall_rule 14:33:21 <xgerman> yep, I changed a scenario test to update something less cintentious 14:33:30 <yushiro> Why the result is different b/w firewall_group and other resources... 14:33:45 <xgerman> probably a bug in the policy? 14:35:20 <njohnston> and finally 4 is for OSC problems 14:35:20 <yushiro> xgerman, regarding bug3, maybe policy's bug but I'm not sure currently. 14:35:41 <xgerman> yeah, I am a bit confused as well… 14:35:43 <njohnston> Bug 4.1. Cannot get 'ports' attributes from firewall_group (Even if OSC plugin fixed, current firewall_group doesn't have 'ports' attributes in GET response. https://bugs.launchpad.net/neutron/+bug/1640395 relates this situation. 14:35:43 <openstack> Launchpad bug 1640395 in neutron "Missing 'ports' attribute when GET firewall-groups" [Low,Confirmed] - Assigned to Sridar Kandaswamy (skandasw) 14:36:10 <yushiro> njohnston, so sorry!! Regarding OSC problems, I'll post PS ASAP :) 14:36:31 <njohnston> no problem yushiro, I am just glad you found these! 14:36:34 <SridarK> ok let me refresh my memory on what is going on with 4.1 14:37:48 <SridarK> yushiro: did u already do some work on 4.1 or i can work on it today 14:37:51 <njohnston> and Bug 4.2. Cannot get 'firewall_rules' attributes from firewall_policy 14:38:14 <njohnston> yushiro mentioned in the meeting notes that he already has a PS to address 4.1 and 4.2. 14:38:15 <SarathMekala> Sorry I got disconnected in between 14:38:24 <njohnston> yushiro: Could you send a link? 14:38:25 <yushiro> SridarK, Yes 4.1 and 4.2, I've already created PS(UT not yet) 14:38:36 <SridarK> yushiro: ok 14:38:47 <yushiro> njohnston, sorry, In my local environment not posted yet. 14:38:57 <SridarK> yushiro: ah ok 14:39:10 <njohnston> OK, as soon as you upload it could you ping the url in the #openstack-fwaas channel? 14:39:43 <reedip_> is there an FWaaS Channel :O 14:39:44 <yushiro> 4.1 and 4.2's cause were typo and missing argument into some methods. 14:40:00 <yushiro> njohnston, Sure. 14:40:06 <SridarK> yushiro: ok perfect, we can get these in quickly 14:40:20 <SridarK> perhaps when u start ur day 14:40:34 <njohnston> We should end up with unit/fullstack/tempest tests for each of these (as appropriate) but I do not think we need to have those right now, we could add them after Ocata is frozen. I would rather go without a tempest test but get fwaas v2 delivered than the other way around. 14:40:49 <xgerman> +1 14:40:49 <SridarK> njohnston: huge +1 14:41:02 <yushiro> +++1 14:41:07 <SridarK> and we do have some more time with bugs 14:41:26 <yushiro> SridarK, yes 14:41:49 <reedip_> https://bugs.launchpad.net/neutron/+bug/1657084 14:41:49 <openstack> Launchpad bug 1657084 in neutron "[RFE]Add time period attribute to firewall_rule" [Undecided,New] - Assigned to zhaobo (zhaobo6) 14:41:57 <reedip_> This was logged recently 14:42:12 <reedip_> I had a similar bug for v1 but it was declined at that time 14:42:34 <njohnston> reedip_: Interesting, I will take a look at that 14:42:51 <yushiro> reedip_, thanks for your information. 14:43:04 <SarathMekala> I think it becomes a little tricky with iptables 14:43:15 <SarathMekala> we need to use an iptable extension for time periods 14:43:16 <SridarK> this will need some work possible to effect this - more a featurette 14:43:34 <SridarK> i would say lets look at it for Pike 14:43:34 <reedip_> njohnston, yushiro : I had one feature for FwaaS v1 ; https://review.openstack.org/#/c/236840/ 14:43:49 <reedip_> That was shot down earlier, wanted to know if it can be put forward 14:44:13 <njohnston> SarathMekala: I don't think we would encode the time period data in iptables; I think neutron-fwaas, as the orchestration engine for iptables, would nee dto track the time and add/remove at the specified time intervals. 14:44:46 <SridarK> reedip_: perhaps we can look at it with a v2 lens ? 14:44:49 <yushiro> reedip_, OK. I'll take a look. thanks. 14:45:09 <reedip_> SridarK : Exactly thats what I wanted. 14:45:09 <SarathMekala> njohnston, yes can be done this way as well.. iptables also have a provision for the same 14:45:16 <SridarK> we are on the path to deprecate v1 14:45:31 <SridarK> reedip_: ok perfect, so for Pike ? 14:45:44 <SridarK> surely we can discuss it 14:45:45 <reedip_> SridarK : There is no LIKE option in xchat :P 14:45:56 <njohnston> Any other bugs to bring up? 14:46:08 <SridarK> reedip_: :-) 14:46:09 <reedip_> yes, for Pike. I will log it as a bug and it can be discussed 14:46:15 <xgerman> k 14:46:27 <SarathMekala> yushiro,SridarK : Checked V1.. TCP is the default option for protocol 14:46:46 <SridarK> ah perfect thx SarathMekala 14:46:47 <yushiro> SarathMekala: Thanks! will file a bug report. 14:47:10 <SarathMekala> yushiro, one question for you 14:47:20 <SarathMekala> in V2 enabled has been renamed to public right? 14:47:40 <SarathMekala> sorry *shared 14:47:53 <yushiro> SarathMekala, Yes, changed from 'shared' to 'public'. 14:48:02 <SarathMekala> I think there is a bug in the CLI 14:48:12 <SarathMekala> it still shows shared 14:48:51 <yushiro> SarathMekala, Is CLI OSC plugin? (like 'openstack firewall group show fwg1) 14:48:52 <SarathMekala> [--tenant-id TENANT_ID] [--shared] [--name NAME] 14:48:55 <SarathMekala> snipeet of the line 14:49:14 <xgerman> let’s file a bug. Should be easy fix 14:49:22 <SarathMekala> no.. am trying out neutron firewall-create-rule 14:50:07 <yushiro> SarathMekala, aha, I understood. fwaas v2 can only retrieve using 'openstack' command. 14:50:30 <yushiro> SarathMekala, 'neutron firewall-rule xxx' retrieve only fwaas-v1. 14:50:57 <SarathMekala> oh.. thanks.. I may need to restack with latest code 14:51:29 <njohnston> #topic Open Discussion 14:51:35 <njohnston> #link https://etherpad.openstack.org/p/neutron-ptg-pike If you are going to the Atlanta PTG, note your attendance here! 14:51:36 <yushiro> SridarK, njohnston, xgerman I'd like to talk a little about bugs at openstack-fwaas. 14:51:47 <njohnston> yushiro: absolutely 14:51:58 <SridarK> yushiro: yes 14:52:11 <xgerman> I gotta run but will be back in an hour 14:52:16 <yushiro> njohnston, SridarK xgerman : Thanks 14:52:38 <xgerman> I like to have this policy thing resolved… armax is really throwing us a wrench 14:53:24 <xgerman> anyhow, gotta run… o/ 14:53:30 <SridarK> xgerman: bye 14:53:34 <yushiro> xgerman, aha, OK. bye! 14:54:06 <njohnston> Does anyone have anything else? 14:54:17 <SridarK> nothing else from me 14:54:53 <reedip_> same time next week ?? ( I forget when is FWaaS meeting :( ) 14:54:54 <yushiro> nothing. 14:54:56 <SarathMekala> I got pulled into some work and could not make progress on horizon 14:55:12 <SridarK> SarathMekala: no worries - it will be Pike anyways 14:55:12 <njohnston> reedip_: Yes, same time next week! 14:55:17 <chandanc_> SridarK, can we catchup on testing tomorrow ? i will need to be away today 14:55:22 <SarathMekala> oh ok 14:55:25 <SridarK> chandanc_: yes surely 14:55:26 <yushiro> reedip_, 14:00 UTC http://eavesdrop.openstack.org/#API_Working_Group 14:55:35 <chandanc_> SridarK, thanks 14:55:40 <SridarK> chandanc_: ur morning and pacific eve/night 14:55:49 <yushiro> reedip_, at #openstack-meeting-4 14:55:54 <chandanc_> sure 14:55:58 <chandanc_> will ping 14:56:07 <SridarK> chandanc_: or even in a couple of hours 14:56:07 <yushiro> I definitely hope I can go PTG :) 14:56:21 <SridarK> yushiro: u are still waiting on the travel ? 14:56:30 <chandanc_> will try, but cant promise :( 14:56:39 <reedip_> I also am on the hooks for the PTG 14:56:43 <yushiro> SridarK, yes 14:56:47 <SridarK> chandanc_: no prob ur morn for sure then 14:56:53 <chandanc_> sure 14:57:11 <SridarK> yes travel budgets are getting tighter 14:57:40 <njohnston> I will definitely be at Atlanta and whatever the enxt PTG is, but I probably will not be in Boston and Sydney, it turns out 14:58:07 <SridarK> njohnston: oh 14:58:13 <yushiro> oh... njohnston 14:58:44 <reedip_> I hope you do visit Sydney ... :) 14:58:47 <SridarK> for us too each one is "kind of depends" ... 14:58:49 <njohnston> ravelling 4x a year is more than I can make happen it seems 14:59:03 <reedip_> I hope I do too :P 14:59:11 <yushiro> :) 14:59:12 <njohnston> reedip_: I agree! 14:59:18 <SridarK> it will be int to see how much the PTG model catches on 14:59:26 <SridarK> 1 min warning 14:59:42 <SridarK> all right folks thx for attending and have a great week 14:59:58 <SridarK> lets do the big push for L2 15:00:03 <njohnston> +100 15:00:05 <njohnston> OK, thanks everyone! 15:00:06 <yushiro> Yes definitely 15:00:08 <njohnston> #endmeeting