#openstack-meeting-4 log

14:01:03 <SridarK> #startmeeting fwaas
14:01:04 <openstack> Meeting started Tue Feb  7 14:01:03 2017 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:07 <openstack> The meeting name has been set to 'fwaas'
14:01:30 <SridarK> #chair njohnston xgerman yushiro
14:01:31 <openstack> Current chairs: SridarK njohnston xgerman yushiro
14:01:40 <xgerman> o/
14:01:47 <chandanc_> hello all
14:01:59 <SridarK> cool hi all lets get started
14:02:09 <yushiro> yes
14:02:14 <SridarK> #topic Ocata Release
14:02:46 <SridarK> a few things popped up on Fri, thx njohnston for bringing it to our attention
14:03:00 <njohnston> yes, armax killed a couple of the bugs
14:03:02 <njohnston> the last one is
14:03:06 <SridarK> #link https://bugs.launchpad.net/neutron/+bug/1661418
14:03:06 <openstack> Launchpad bug 1661418 in neutron "neutron-fwaas functional tests do not execute" [Critical,In progress] - Assigned to Yushiro FURUKAWA (y-furukawa-2)
14:03:06 <njohnston> #link https://bugs.launchpad.net/neutron/+bug/1661418
14:03:10 <njohnston> :-)
14:03:14 <SridarK> ;-)
14:03:35 <SridarK> yushiro: thx for taking it on and i think u and reedip have a root cause
14:03:35 <yushiro> :)
14:03:38 <njohnston> I had a little time to look at it, but I asked Yushiro to carry on, and I think he made great progress overnight
14:03:46 <SridarK> great
14:04:02 <SridarK> yes it seems that we know what is going on
14:04:05 <yushiro> njohnston, SridarK  You'we welcome.
14:04:06 <SridarK> yushiro: pls go ahead
14:04:27 <yushiro> In https://review.openstack.org/430148
14:05:14 <yushiro> dvsm-functional with no test result.  The cause is  we removed test code at  neutron_fwaas/tests/functional
14:06:02 <njohnston> Sorry about that.  It was an abstract class that was never inherited from anywhere, so I thought it was a no-op
14:06:14 <yushiro> In order to execute functional test,  we need to add test code.
14:06:36 <yushiro> njohnston, no-no.  It was great to realize today :)
14:06:56 <SridarK> yushiro: +1 absolutely
14:07:05 <yushiro> So, currently  I and reedip  put dummy test code at neutron_fwaas/tests/functional .
14:07:17 <SridarK> yushiro: and that seems to work
14:07:30 <SridarK> we can see that single dummy test run
14:07:50 <njohnston> as far as why the db migration tests don't get executed, could it be that the change here needs to be reversed too?  https://review.openstack.org/#/c/404927/1/neutron_fwaas/tests/functional/db/test_migrations.py
14:08:20 <xgerman> looks like it
14:09:04 <yushiro> njohnston, I hope so. ( not tested yet )
14:09:43 <SridarK> yes seems so - great so i think this should be done soon
14:10:44 <yushiro> Yeah.  In addition,  please review my grammar(commit message).  I'm not good at writing English message ;;;
14:11:10 <njohnston> it looks good!
14:11:10 <yushiro> reedip, Thanks for your great help
14:11:17 <SridarK> yushiro: no worries - it is good
14:11:22 <yushiro> :)
14:11:34 <SridarK> the other 2 - #link https://bugs.launchpad.net/neutron/+bug/1661419 & https://bugs.launchpad.net/neutron/+bug/1661420 were on stable/newton
14:11:34 <openstack> Launchpad bug 1661419 in neutron "neutron-fwaas functional tests on stable/newton fail because db backend not set up" [Critical,Fix released] - Assigned to Armando Migliaccio (armando-migliaccio)
14:11:35 <openstack> Launchpad bug 1661420 in neutron "neutron-fwaas tempest v2 job on stable/newton fails with "extension could not be found"" [High,Fix released] - Assigned to Armando Migliaccio (armando-migliaccio)
14:11:36 <njohnston> yushiro: I know it is late in the day for you, let me know if you want me to carry on with this
14:12:10 <SridarK> sorry pls go ahead yushiro & njohnston
14:13:06 <yushiro> njohnston, Thanks.  Could you update https://review.openstack.org/#/c/430148/  if necessary?
14:13:10 <njohnston> will do
14:13:16 <yushiro> Thanks!
14:13:31 <njohnston> thank you and reedip for all your hard work
14:13:40 <njohnston> sorry for the interruption SridarK
14:13:42 <SridarK> ok great thx njohnston - so we have a plan in place
14:13:49 <SridarK> no pls this is more imp
14:14:00 <SridarK> ok i think we are good
14:14:45 <yushiro> other 2 bugs(stable/newton) still looking.
14:15:01 <SridarK> the other 2 bugs - were taken care of by Armando - it needed some jugglery with tempest tests getting to run
14:15:26 <yushiro> SridarK, OK.
14:15:43 <yushiro> So, in this topic, it's all for me.
14:16:02 <yushiro> SridarK, plz go ahead :)
14:16:15 <njohnston> I noticed another change fixing tests as well:
14:16:15 <njohnston> https://review.openstack.org/430072
14:16:24 <SridarK> i cherrypicked the API tests - but then it needed to be squashed with a cherrypick of yamamoto's original fix to have selective runs of v1 & v2
14:16:31 <SridarK> thx njohnston
14:16:44 <SridarK> but the good news is that it is over
14:17:39 <SridarK> I will pull in the scenario tests from SarathMekala in to stable/newton - and if it runs fine - we can get that in as well
14:17:46 <SridarK> so we are on par with Ocata
14:18:43 <SarathMekala> SridarK, I will take care if there are any breakages
14:19:15 <SridarK> SarathMekala: ok cool - that had dependencies with the API and this chain of dependencies was getting to be messy
14:19:30 <SridarK> so i thought it best to wait for the API to get in
14:20:10 <SridarK> SarathMekala: u can pull it in as well - just one click from the browser
14:20:26 <SridarK> we can discuss offline
14:20:27 <SarathMekala> sure.. will do it
14:20:34 <SridarK> SarathMekala: thx
14:20:43 <SarathMekala> ok SridarK was about to type I havent done this before :)
14:21:00 <SridarK> SarathMekala: no worries - lets sync right after the mtg
14:21:16 <SarathMekala> sure SridarK
14:21:22 <SridarK> Ok if nothing else lets move on
14:21:33 <SridarK> #topic FWaaS v2
14:22:13 <SridarK> #link https://review.openstack.org/348177
14:22:27 <SridarK> chandanc_: thx for addressing Kevin's comments
14:22:29 <SridarK> pls go ahead
14:23:00 <chandanc_> I will update the patch to address those comments,
14:23:26 <chandanc_> one of the changes was done to fix the UT
14:24:20 <vks1> SridarK, i was looking for integ of SFC and FWAAS API, is this correct time to discuss ??
14:24:28 <chandanc_> On the general UT side, I was able to capture the expected UT results, but those have to be converted in to reges to fix the templates
14:24:45 <SridarK> vks1: hi - i have it in my agend - will bring it up later
14:24:53 <vks1> SridarK, ok
14:25:14 <chandanc_> *regex
14:25:18 <SridarK> chandanc_: ok
14:25:58 <chandanc_> not much beyond that
14:26:31 <SridarK> chandanc_: ok thx - i think we should converge soon and worst case - we can try to close it during the PTG
14:26:39 <xgerman> +1
14:26:46 <chandanc_> ok SridarK
14:26:53 <yushiro> +1
14:27:09 <SridarK> #link https://review.openstack.org/361071
14:27:23 <SridarK> chandanc_: pls go ahead with the L2 driver -
14:27:59 <chandanc_> I fixed all the UTs on the driver side, manually verified the driver calls
14:28:43 <chandanc_> there are come calls to the driver from the l2 ext patch, to reset the ports to default security policy
14:29:21 <chandanc_> we need to discuss, the default setting when the ports are removed from FWG
14:29:54 <chandanc_> me and Paddu will sync up on that
14:30:14 <SridarK> would it be the current port attributes - FWG attributes
14:30:43 <SridarK> basically remove the FWG rules
14:30:57 <SridarK> but other attributes will stay intact ?
14:31:27 <chandanc_> ya that was my thought, but looks like we will have some default rules
14:32:06 <chandanc_> and the port removed from the FWG will have these rules applied, thats my understanding
14:32:25 <SridarK> hmm ok
14:32:54 <SridarK> maybe more discussion is needed then - will let u close on that and we can summarize over email or next meeting
14:32:55 <chandanc_> currently the reset_port is no-op
14:33:02 <yushiro> chandanc_, You mean default firewall group? or some rules which is invisible from a user?
14:33:03 <chandanc_> sure
14:33:15 <xgerman> yushiro +1 - this is confusing me, too
14:33:38 <chandanc_> yushiro, i dont have much clarity on that but looks like the later case
14:33:47 <xgerman> default rules like defualt SG should be applied at port creation
14:34:09 <chandanc_> yes
14:34:22 <SridarK> #action chandanc_ to close on discussion on default setting when ports are removed from FWG
14:34:59 <xgerman> +1
14:35:01 <SridarK> chandanc_: pls feel free to pull in whoever is needed for discussion
14:35:22 <SridarK> #link https://review.openstack.org/323971
14:35:36 <chandanc_> sure
14:35:39 <SridarK> #link https://review.openstack.org/#/c/425769/
14:35:45 <SridarK> chandanc_: thx
14:36:14 <yushiro> SridarK, thanks
14:36:16 <SridarK> yushiro: pls go ahead - these 2 are quite related with the L2 Agent and DEFAULT FWG changes
14:37:04 <yushiro> SridarK, yes.  Sorry, today I couldn't sync up with paddu but I just rebased to fix pep8 issue. https://review.openstack.org/323971
14:37:36 <yushiro> chandanc_, I just add comment to this patch in order to call driver for l2 port.  Please check it :)
14:37:53 <chandanc_> yushiro, sure will do
14:38:21 <SridarK> ok cool
14:38:34 <yushiro> And https://review.openstack.org/#/c/425769/ (default firewall group),  I updated from cedric's comment.  currently, it can work fine.  However, we need to discuss something.
14:38:46 <SridarK> it is good that we are coming to the point where we looking at integration issues here
14:38:54 <SridarK> yushiro: pls go ahead
14:39:34 <yushiro> SridarK, thanks.  In default firewall group DB migration I add 1 validation.
14:40:24 <yushiro> so, default firewall group is named 'default'  and exists each projects.  Therefore, non-admin user cannot create firewall group with name 'default'.
14:41:14 <SridarK> That seems reasonable
14:41:18 <yushiro> If firewall group exists named 'default' before migration,  it raises "Duplication error".
14:41:50 <yushiro> https://review.openstack.org/#/c/425769/3/neutron_fwaas/db/migration/alembic_migrations/versions/ocata/expand/876782258a43_create_default_firewall_groups_table.py
14:41:54 <yushiro> L.36
14:42:17 <yushiro> I think it's OK but need some comments :0
14:42:20 <yushiro> :)
14:43:36 <yushiro> And, maybe njohnston knows that some driver team are discussing about admin customized default security-group.
14:43:57 <SridarK> meaning - we are not allowing any FWG's named 'default' prior to migration
14:44:29 <yushiro> SridarK, thanks for your follow!  yes, that is my opinion and current implementation.
14:45:54 <yushiro> currently, I'm following default security-group behavior.  Please feel free to review comment.
14:46:30 <njohnston> yushiro: yes, there was a discussion about that in the drivers team, but I think I convinced everybody that if you want that you should probably be using FWaaS
14:46:30 <SridarK> Ok i am not so sure - but being aligned with SG is a start
14:46:54 <SridarK> or we will need to add an attribute instead of relying on the name
14:46:55 <yushiro> SridarK, +1
14:47:08 <xgerman> +1
14:47:20 <yushiro> njohnston, OK
14:47:36 <yushiro> In addition,  maybe tomorrow, I'll put "applying default firewall group" patch.
14:47:57 <njohnston> Our router is also subject to the default security Group?
14:48:23 <yushiro> njohnston, yes. That's my understanding.
14:48:40 <njohnston> s/Our/are/
14:48:46 <yushiro> njohnston, I mean not only l2 but l3 port should be applied default firewall group.
14:48:53 <njohnston> Ok good
14:48:56 <xgerman> +1
14:49:26 <njohnston> We should make that clear in the documentation though
14:49:31 <yushiro> And I found 1 issue about "applying default firewall group".  I'll send e-mail to all.
14:49:53 <SridarK> Surely but it is more important with L2 as we could bring up a VM with no security on it until we integrate with nova
14:50:05 <SridarK> yushiro: ok
14:50:07 <yushiro> njohnston, Indeed.  we should store some evidence or concrete log :)
14:50:21 <SridarK> lets move on in the interest of time
14:50:35 <SridarK> #topic Stadium Compliance
14:50:36 <yushiro> SridarK, sorry for taking long time.  plz go ahead.
14:50:42 <SridarK> yushiro: no worries
14:50:52 <SridarK> njohnston: pls go ahead
14:51:55 <SridarK> njohnston: and we can figure out a model so that we can take over some of the enormous work u have been doing so u can get freed up
14:53:23 <njohnston> The last thing to do is to adopt the API from neutron-lib
14:53:38 <njohnston> Which I am holding on until Pike opens up
14:53:47 <xgerman> sounds reasonable
14:54:04 <SridarK> njohnston: ok great and lets sync up offline to look for the best way forward
14:54:12 <njohnston> Later we should add fullstack tests too, and augment our functional tests
14:54:35 <SridarK> njohnston: yes and our tempest tests need some additions as well
14:54:46 <SridarK> njohnston: thx
14:54:59 <SridarK> #topic SFC and FWaaS integration
14:55:15 <SridarK> vks1: pls go ahead - sorry we had a full set of things to discuss
14:55:25 <SridarK> want to welcome u to the group
14:55:49 <vks1> SridarK, thnks,  i was looking t integrate FWAAS with SFC
14:56:01 <xgerman> cool!
14:56:30 <SridarK> on SFC - FWaas - i had a brief discussion with Cathy during the last summit - but honestly we have not come there yet
14:56:39 <SridarK> but this is a good time to start thinking about it
14:56:56 <xgerman> it was our plan all along when we moved to ports
14:57:05 <vks1> there are couple of things, first - SFC makes port-security disable and if thats the thing FWAAS is no good then
14:57:06 <SridarK> xgerman: +1
14:58:01 <SridarK> vks1: we will need to look into that and see how things work with chaining
14:58:37 <SridarK> Lets get a list of things to discuss and we can start that with the SFC folks
14:58:54 <vks1> the other thing is SFC as of now doesn't consider on nature/mode of VNF/device which is just not good for deployment , consider if it supports in future which i see must otherwise have no real use case, we need to make sure rules rendered shud be compliant
14:58:55 <SridarK> In principle - Cathy was very much interested in this a well
14:59:08 <SridarK> 2 min warning
14:59:11 <vks1> even i have tried communicating with group
14:59:23 <vks1> ok  then do u think in next meeting
14:59:25 <vks1> ???
14:59:25 <SridarK> vks1: i will send u an email with the rest of the fwaas folks on it
14:59:46 <SridarK> and get u some pointers for etherpad etc
15:00:02 <SridarK> Lets end on that note since we are at time
15:00:11 <SridarK> Thanks all for joining and have a great week
15:00:18 <vks1> SridarK, OK
15:00:19 <yushiro> Thanks.
15:00:20 <yushiro> bye
15:00:23 <hoangcx> bye
15:00:24 <SridarK> #endmeeting fwaas