#openstack-meeting-4 log

14:00:33 <yushiro> #startmeeting fwaas
14:00:34 <openstack> Meeting started Tue Apr 11 14:00:33 2017 UTC and is due to finish in 60 minutes.  The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:35 <xgerman> o/
14:00:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:38 <SarathMekala> hi all O/
14:00:38 <openstack> The meeting name has been set to 'fwaas'
14:00:46 <yushiro> #chair SridarK yushiro xgerman njohnston
14:00:46 <openstack> Current chairs: SridarK njohnston xgerman yushiro
14:00:50 <cuongnv> hi
14:00:59 <annp> hi
14:01:12 <chandanc_> Hello all
14:01:25 <yushiro> SridarK, OK, I'll do it today :)
14:01:28 <xgerman> +1
14:01:37 <yushiro> #topic Pike
14:01:41 <SridarK> yushiro: yes ur turn :-)
14:02:07 <yushiro> Discussion with Kevin - go with OVS rather iptables for L2 as neutron will move to OVS support
14:02:19 <yushiro> #link https://review.openstack.org/361071
14:02:49 <yushiro> sorry. I missed.  https://review.openstack.org/#/c/323971/
14:02:59 <yushiro> and https://review.openstack.org/#/c/447251/4
14:03:13 <yushiro> chandanc_, it's your turn :)
14:03:43 <chandanc_> I have been doing some tests with the co existance of SG and FWG
14:04:22 <xgerman> col
14:04:27 <xgerman> cool
14:04:29 <yushiro> OK
14:04:29 <chandanc_> as of last update i was able to run the SG and FWG l2 driver side by side
14:04:37 <xgerman> Nice!
14:04:42 <chandanc_> http://paste.openstack.org/show/606135/
14:04:47 <chandanc_> some output
14:05:11 <yushiro> Thanks for your link
14:05:27 <chandanc_> the issue now is to merge the two so that the packet is accepted only when both SG and FWG allows it
14:05:39 <SridarK> chandanc_: could u maybe do a quick walk thru of the paste ?
14:06:00 <chandanc_> the driver (both SG and FWG) use 5 tables each
14:06:05 <chandanc_> sure
14:06:53 <chandanc_> 1 sec plz
14:07:01 <SridarK> chandanc_: np
14:07:14 <chandanc_> https://review.openstack.org/#/c/447251/4/neutron_fwaas/services/firewall/drivers/linux/l2/openvswitch_firewall/constants.py
14:07:15 <SridarK> if u want to put out a google doc later on that is fine too
14:07:33 <chandanc_> i will send a mail and put up a doc
14:07:43 <yushiro> sounds good.
14:08:10 <SridarK> ok now the significance of the tables is more clear with ur link ^^^
14:08:19 <SridarK> yes lets take it offline
14:08:21 <SridarK> thx chandanc_
14:08:29 <chandanc_> if you look at the constants you will see that 5 tables are used by the driver, ingress base, ingress fw rules, egress base, egress fw rules and the accept table
14:08:41 <yushiro> (41, 42, 43, 51 and 52)
14:09:11 <SridarK> chandanc_: yes that helps
14:09:16 <chandanc_> the FWG uses series tables 40 to 50 series
14:09:18 <chandanc_> yes
14:09:33 <chandanc_> and 70 to 80 series is used by SG
14:10:07 <chandanc_> now we have to chain these tables so that the packet flows though both SG and FWG before being accepted
14:10:28 <chandanc_> there are some overlap in the rules that me be optimized
14:11:07 <SridarK> but by the table allocations the separation is clean
14:11:08 <chandanc_> but at the same time we have to take care to retain the possibility of running these drivers independently
14:11:17 <chandanc_> yes SridarK
14:11:59 <chandanc_> we may have case when fwaas is on enabled or SG is enabled with iptables
14:12:20 <xgerman> +1
14:12:21 <chandanc_> we have to decide which of the above combination we will support
14:12:59 <SridarK> i wonder if we need to do that
14:13:01 <xgerman> I am still not sure if kevinb meant all of Neutron was going OVS or just FWaaS
14:13:10 <chandanc_> i could make some changes to chain the tables, but will need some more playing around
14:13:12 <xgerman> if it’s the former it will cut down on combinations
14:13:13 <SridarK> xgerman: i believe it was neutron
14:13:18 <xgerman> yep
14:13:32 <xgerman> that’s my beleive as well but it’s not documented anywhere
14:13:38 <chandanc_> sure SridarK, if we can reduce the combination it will help
14:13:52 <yushiro> so, 1: fw=ovs, sg=ovs  2:fw=ovs, sg=iptables  3:fw=iptables, sg=ovs  4:fw=iptables, sg=iptables
14:14:19 <SridarK> xgerman: and i recall u also raised this at the PTG for backwards compat esp if we have someone who is running sg with iptables and may not want to make the jump
14:14:31 <xgerman> yes
14:14:42 <xgerman> and he said there might be a “hybrid”
14:14:50 <xgerman> but they also had migration scripts
14:14:54 <chandanc_> I will send a detailed mail on the current understanding and the approach i am taking to make the co existance work
14:15:14 <xgerman> I am ok with not supporting iptables SG
14:15:27 <xgerman> in our first release
14:15:27 <SridarK> if we do need to support a sort of hybrid that can be pass 2
14:15:30 <yushiro> 2 and 3 is 'hybrid'  as xgerman said.  So, we don't care about that.
14:15:32 <SridarK> xgerman: +1
14:15:45 <yushiro> xgerman, +1
14:16:12 <chandanc_> xgerman, +1
14:16:32 <annp> yushiro: +1
14:16:41 <chandanc_> i will confirm after testing though :)
14:16:45 <SridarK> chandanc_: that is good progress thx
14:16:46 <SarathMekala> I agree, +1
14:17:02 <yushiro> So, focusing "1." now, right?
14:17:03 <chandanc_> thanks SarathMekala
14:17:21 <chandanc_> 1 is my focus now, yushiro
14:17:29 <yushiro> chandanc_, OK. Thanks.
14:18:01 <yushiro> OK, next.
14:18:03 <yushiro> #link https://review.openstack.org/#/c/323971/
14:18:30 <yushiro> Paddu try to add more UTs in this patch.
14:19:05 <yushiro> I'm just testing this patch with default fwg + chandanc_ 's ovs driver patch.
14:19:10 <sarathmekala_> sorry got disconnected..
14:19:32 <chandanc_> yushiro, thanks for the pep8 fix
14:19:52 <yushiro> I found that current l2-agent is missing to update 'status' for default firewall_group.
14:20:48 <yushiro> So, default fwg is 'PENDING_CREATE'.
14:21:02 <yushiro> chandanc_, np
14:21:35 <yushiro> oops, it's not default fwg turn.  sorry.  What I'd like to say is,,
14:22:33 <yushiro> In L2-agent side, (1) it should be updated 'status' of fwg and  (2) apply default fwg for L2 port.
14:22:45 <yushiro> I'm trying to fix (1) and (2)
14:24:20 <SridarK> yushiro: yes on the PENDING_CREATE - this may require some rework as the workflow is quite different on L2
14:24:20 <chandanc_> +1 for (2)
14:24:27 <reedip_> o/
14:24:57 <yushiro> SridarK, OK.  And we need to determine what is 'active' for L2.
14:25:41 <xgerman> yes
14:25:51 <SridarK> yushiro: yes this area may need some rework in general too but lets keep it simple for now to get L2 support in
14:26:18 <yushiro> SridarK, sure.  simple means ....  INACTIVE: no ports are associated,  ACTIVE: at least 1 port is associated
14:26:22 <xgerman> indeed I think we can work with Active/Error right now
14:26:28 <SridarK> yushiro: yes exactly
14:26:44 <xgerman> make sure to have ERROR
14:26:45 <reedip_> guess I will see the logs to understand whats happening :)
14:26:48 <yushiro> OK, thanks SridarK and xgerman
14:26:58 <yushiro> Next
14:27:10 <yushiro> Fix "public" attribute behavior:   #link https://review.openstack.org/#/c/424534/
14:27:30 <yushiro> oh, sorry. I forgot to update it.
14:28:04 <yushiro> vks1 patch has been merged and this patch needs minor change.
14:28:28 <SridarK> #link https://review.openstack.org/#/c/451705/ ?
14:28:54 <yushiro> SridarK, yes.  this is for vks1
14:29:22 <yushiro> aha,
14:29:31 <SridarK> good we finally fixed this - somehow early on i think we misunderstood and went thru a lot of unnecessary work :-)
14:29:33 <yushiro> I think https://review.openstack.org/#/c/424534/3  is not necessary
14:29:55 <yushiro> because we can filter by using 'shared'  as usual.
14:30:01 <xgerman> +1
14:30:11 <vks1> yushiro: hi
14:30:12 <reedip_> Yep that patch may not be required
14:30:21 <yushiro> OK, I'll abandone this patch.
14:30:24 <reedip_> but I saw that policy.json has both public and shared
14:30:26 <yushiro> vks1, hi
14:30:28 <reedip_> we may need to change that
14:30:28 <SridarK> yushiro: yes it seems so
14:30:34 <SridarK> reedip_: good point
14:30:42 <yushiro> reedip_, yes, exactly.
14:30:57 <SridarK> vks1: do u want to pick that up ?
14:31:03 <SridarK> vks1: and thanks
14:31:12 <reedip_> I was thining of removing that , but then I didnt know why we kept it in the first place
14:31:20 <SridarK> for bringing shared back to the limelight :-)
14:31:35 <xgerman> ;-)
14:31:45 <yushiro> https://github.com/openstack/neutron-fwaas/blob/master/etc/neutron/policy.d/neutron-fwaas.json
14:31:54 <yushiro> There are still 'public'
14:32:09 <vks1> SridarK: sure
14:32:11 <reedip_> yeah ...
14:32:22 <yushiro> vks1, Sounds good!  Thank you.
14:32:23 <reedip_> we need to ditch that yushiro
14:32:49 <SridarK> reedip_: +1
14:32:56 <yushiro> reedip_, yeah ~~
14:33:01 <reedip_> lemme put up a patch, if you dont mind :)
14:33:15 <SridarK> reedip_: yes pls :-)
14:33:25 <yushiro> pls
14:33:27 <yushiro> :)
14:33:30 <reedip_> done
14:34:07 <yushiro> OK, next
14:34:09 <yushiro> Neutron-lib adoption: https://review.openstack.org/#/c/421472/
14:34:24 <yushiro> reedip_, it's your turn :)
14:34:42 <reedip_> I just came home :D
14:35:02 <yushiro> Oh, good :)
14:35:22 <reedip_> well, boden has published some patches for neutron-lib, I am following those changes up as the latest lib version has been released (1.4.0)
14:35:46 <yushiro> OK.
14:35:48 <reedip_> for the patch which njohnston had put up , there are some other dependent patches which I have published
14:36:08 <xgerman> ok, sounds good
14:36:14 <reedip_> The only thing which was worrying me was that the commmit ID seems to be wrong in this patch, therefore no tests are running
14:36:22 <reedip_> I will fix that in a minute
14:36:31 <yushiro> great.
14:36:36 <xgerman> +1
14:37:02 <yushiro> next is ... Horizon support.
14:37:27 <yushiro> Is sarathmekala here?
14:37:35 <_sarathmekala_> yeah
14:37:55 <_sarathmekala_> I had a discussion with Rob Creswell
14:38:15 <_sarathmekala_> and generated the plugin structure
14:38:22 <_sarathmekala_> he is ok with the changes
14:38:48 <_sarathmekala_> the conclusion is that we can create our own structure inside it
14:39:11 <_sarathmekala_> so.. in the benefit of time, I am working on the old model for now
14:39:14 <xgerman> yeah, there was still some discussion how to align repos but consensus is building for each project gettign their own
14:39:40 <_sarathmekala_> xgerman, ok
14:39:48 <SridarK> _sarathmekala_: ok will it be a big jump to get things aligned to commit ?
14:39:59 <SridarK> from the old model that is ?
14:40:02 <_sarathmekala_> SridarK, it should not be
14:40:23 <_sarathmekala_> the changes mostly will be align with that structure
14:40:29 <_sarathmekala_> functionality should be the same
14:40:51 <SridarK> _sarathmekala_: ok whichever is easier for u
14:40:53 <_sarathmekala_> I have fixed the issues i was facing with Rules tab
14:41:09 <SridarK> it would be ideal to have the code changes go in by summit time
14:41:17 <robcresswell> _sarathmekala_: You can use the old structure if you like. It really doesn't matter either way, but the generated one is perfectly valid.
14:41:29 <_sarathmekala_> thanks robcresswell
14:41:30 <SridarK> but plan B is that we can have some code that can be demo ready
14:41:42 <reedip_> Hey just a minute
14:41:46 <robcresswell> If you run into any bugs or need some reviews before Boston, ping me
14:41:48 <_sarathmekala_> yes SridarK, I am targetting for that
14:41:53 <robcresswell> I'll try and fit some time in :)
14:42:03 <SridarK> _sarathmekala_: ok
14:42:04 <_sarathmekala_> sure robcresswell, I may need some help during integration
14:42:07 <SridarK> robcresswell: thx :-)
14:42:11 <yushiro> goooood :)
14:42:12 <xgerman> +1
14:42:25 <_sarathmekala_> I more or less done with Rules tab
14:42:32 <_sarathmekala_> will send across a patch tomorrow
14:42:49 <reedip_> sorry for interruption , I think amotoki is discussing http://lists.openstack.org/pipermail/openstack-dev/2017-April/115200.html , which is regarding dashboard support for neutron stadium project
14:42:49 <_sarathmekala_> if anyone has bandwidth they can download and give it a try
14:43:21 <SridarK> reedip_: yes indeed
14:43:44 <SridarK> i think we are fairly ok with either (a) or (c) options
14:43:45 <_sarathmekala_> reedip_, thanks for the link.. will go through it
14:43:59 <SridarK> but wanted to think this thru a bit
14:44:01 <yushiro> That is long term solution, right?
14:44:27 <robcresswell> I would recommend A. It fits best with Horizons plugin model, IMO.
14:44:49 <SridarK> robcresswell: ok and also release seems to prefer it too
14:45:22 <robcresswell> SridarK: Yep :)
14:45:41 <yushiro> I see.
14:46:10 <_sarathmekala_> thats it from my side
14:46:17 <yushiro> thanks, _sarathmekala_
14:46:37 <yushiro> #topic FWaaS v2
14:46:49 <yushiro> Please discuss only default fwg.
14:47:09 <yushiro> We're discussing in mail for that.
14:47:36 <yushiro> Last week I sent e-mail about default fwg.
14:48:18 <yushiro> Can we start step by step from simple implementation?
14:48:48 <SridarK> yushiro: yes agreed
14:48:53 <chandanc_> +1 yushiro
14:49:00 <SridarK> let me also respond to u on email
14:49:12 <SridarK> i had some concerns too
14:49:24 <reedip_> yushiro : I agree with the implementation in small amounts
14:49:31 <yushiro> SridarK, me too.
14:50:21 <yushiro> OK, so, let's skip configurable option(enable/disable) for early impl.
14:50:51 <yushiro> wow, 10 minutes left !
14:51:04 <yushiro> #topic Stadium Compliance
14:51:39 <yushiro> reedip_, Is there some update or want to report?
14:52:27 <yushiro> OK, next
14:52:28 <yushiro> #topic performance improvement for v2
14:53:09 <cuongnv> I got some comments from reedip_ and Cedric and also pushed new code based on that
14:53:21 <yushiro> will take a look.
14:53:23 <cuongnv> waiting for more reviews atm...
14:53:45 <cuongnv> thank you all for your reviews
14:53:59 <yushiro> let's review for them.
14:54:02 <SridarK> cuongnv: i also started looking at it and we should get this in quickly
14:54:21 <cuongnv> SridarK, yeah
14:54:37 <yushiro> #topic bugs
14:54:50 <reedip_> SridarK : can someone merge the Pike Etherpad contents with the weekly meeting etherpad, so that we can have all information in the same page
14:54:50 <reedip_> I think a lot of contents for the stadium is in both the etherpads so things may get lost
14:55:17 <SridarK> reedip: ok agreed
14:55:42 <reedip_> sorry, just joined, network issue
14:55:56 <SridarK> reedip_: yes agreed on the etherpads
14:56:07 <yushiro> it's reasonable ;)
14:56:09 <yushiro> #topic Open Discussion
14:56:16 <yushiro> sorry for intruppt.
14:56:31 <yushiro> SridarK, chandanc_ I'd like to discuss with you about Boston summit presentation.
14:56:43 <reedip_> just for note: following patches are up for review in neutron-lib for FWaaS : https://review.openstack.org/455422 , https://review.openstack.org/451229
14:56:53 <xgerman> It’s still not clear if we have budget
14:57:12 <SridarK> yushiro: yes lets do that - we can come up with a first pass and get reviews from others as well
14:57:22 <SridarK> xgerman: oh really i hope it comes thru
14:57:27 <chandanc_> +1 SridarK
14:57:37 <yushiro> I just got "GO sign" from my manager.  I can go to Boston
14:57:48 <xgerman> awesome!!
14:57:52 <chandanc_> I will be there
14:58:00 <reedip_> I wont be there :)
14:58:11 <chandanc_> :)
14:58:15 <reedip_> I probably might get married by then :P
14:58:19 <SridarK> reedip_: and u have more important things :-)
14:58:24 <xgerman> congrats!!
14:58:28 <SridarK> yushiro: great
14:58:37 <reedip_> xgerman : thanks
14:58:40 <annp> reedip: congrats
14:58:47 <cuongnv> reedip_, congrats!
14:58:50 <hoangcx> We may also think about team meetup at Forum if possible :-)
14:58:51 <SridarK> reedip_: if u land up at Boston, u will hear it about for the rest of ur life :-)
14:58:59 <chandanc_> :)
14:59:01 <yushiro> I'll presentation with Monasca for logging feature in Monday.  In this presentation, I'll inform audience about fwaas session :)
14:59:03 <_sarathmekala_> reedip_, Congrats
14:59:15 <yushiro> reedip_, congrats!!
14:59:15 <chandanc_> Congrats reedip_
14:59:17 <SridarK> hoangcx: +1
14:59:27 <reedip_> _sarathmekala, yushiro, chandanc_ cuongnv ,annp : thanks ... SridarK : yeah I know ... !
14:59:47 <xgerman> also FYI I am running for the TC so make sure to vote
14:59:55 <yushiro> OK, let's keep on discussing openstack-fwaas if possible about summit.
14:59:58 <SridarK> xgerman: yes will do
15:00:05 <xgerman> thx
15:00:10 <reedip_> xgerman : Oh great .. yeah we will do :)
15:00:19 <yushiro> xgerman, wow!! great
15:00:20 <yushiro> #endmeeting