13:59:55 <SridarK> #startmeeting fwaas 13:59:56 <openstack> Meeting started Thu Oct 19 13:59:55 2017 UTC and is due to finish in 60 minutes. The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:59:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:59:59 <openstack> The meeting name has been set to 'fwaas' 14:00:06 <SridarK> #chair xgerman_ yushiro 14:00:07 <openstack> Current chairs: SridarK xgerman_ yushiro 14:00:46 <SridarK> Firstly apologies i had to miss last week meeting and also the last week has been busy on other things at work 14:00:55 <SridarK> lets get started 14:01:06 <openstackgerrit> Murali Annamneni proposed openstack/neutron-fwaas master: Enable MySQL Cluster Support for neutron-fwaas https://review.openstack.org/513392 14:01:16 <openstackgerrit> Yushiro FURUKAWA proposed openstack/neutron-fwaas master: FWaaS v2 extension for L2 agent https://review.openstack.org/323971 14:01:17 <SridarK> Great that the Dashboard patch is in 14:01:30 <xgerman_> +1 14:01:40 <SridarK> #topic Queens L2 support 14:01:44 <yushiro> +1 thanks Sarath akihiro 14:01:59 <SridarK> and thanks yushiro as well 14:02:10 <yushiro> SridarK, Aha :) 14:02:13 <doude> Hi 14:02:27 <SridarK> yushiro: pls go ahead i think we are almost there 14:02:42 <yushiro> OK, let me explain something 14:02:54 <SridarK> #link https://review.openstack.org/#/c/323971/ 14:03:53 <yushiro> Yesterday, I and annp has discussed about handling fixed_ip address. 14:04:20 <yushiro> We decided to handle in driver-side same as neutron ovs-agent. 14:05:16 <yushiro> So, we've included 'fixed_ips' into port_detail parameter and send port_detail to driver-side. Here is our latest version. 14:05:46 <yushiro> I've tested in my environment and works fine. 14:06:07 <yushiro> So, If zuul got +1 for l2-agent patch, I think it's OK to be merged.. 14:06:34 <annp> +1 yushiro :) 14:06:54 <xgerman_> nice — 14:07:30 <SridarK> yushiro: i see some details for test setup on etherpad https://etherpad.openstack.org/p/fwaas-v2-l2 14:07:44 <SridarK> I will do some testing by tomorrow as well 14:08:16 <yushiro> SridarK, Yes. However, let me check 1 thing about releasing. 14:08:44 <yushiro> When is a final deadline for Q-1? tomorrow? 14:09:11 <SridarK> yushiro: hmm i am not sure that it is that critical 14:09:33 <SridarK> we will need to merge the driver as well for things to be functional 14:09:46 <yushiro> SridarK, Yes, exactly. 14:09:55 <hoangcx_> yushiro: SridarK Here https://review.openstack.org/#/c/512432/ 14:10:13 <yushiro> hoangcx_, thanks 14:10:49 <SridarK> hoangcx_: thx 14:11:10 <xgerman_> We would need to bump the SHA here: https://review.openstack.org/#/c/512432/2/deliverables/queens/neutron-fwaas.yaml 14:11:33 <xgerman_> Q-3 is still not released 14:11:36 * mlavalle slides silently in 14:11:38 <xgerman_> Q-1 14:11:42 <SridarK> i think it is good we got the dashboard in - my feeling is that on the L2 support it is key that we do more testing 14:12:14 <yushiro> xgerman_, thanks. SridarK OK I see. 14:13:11 <yushiro> Ah, I have 1 concern about l2 patch. Currently, if we try to associate a port into dirrefent firewall_group at same time, a relation will be broken. 14:13:20 <SridarK> i think for things to make sense: the FWaaS L2 Agent, L2 Driver and Def FWG needs to be in 14:14:15 <SridarK> yushiro: but i am thinking validation on the plugin shd fail that 14:15:14 <yushiro> SridarK, I think this is race condition. 2 requests try to check DB status at same time. 14:15:22 <SridarK> yushiro: aha ok 14:15:44 <annp> Sridark, yushiro: we've already pushed patch for fixing that 14:15:46 <yushiro> We don't guard in DB layer in FirewallGroupPortAssociation table. I think we need to have unique constraint for 'port_id' in this table. 14:15:59 <yushiro> annp, yees.. could you paste your patch? 14:16:06 <annp> https://review.openstack.org/#/c/512154/ 14:16:08 <SridarK> ok and annp that is ur patch 14:16:36 <annp> As reedip said: we no need migration file 14:16:51 <annp> So i removed this file. 14:17:44 <SridarK> annp Hmm it is the same db table for L3 ports as well 14:17:47 <yushiro> annp, sorry. What are you going to fix ?? 14:18:09 <SridarK> so i am a bit confused - let me look more and think more after i am fully awake and comment on Gerrit 14:18:22 <mlavalle> lol 14:18:28 <SridarK> :-) 14:18:33 <yushiro> annp, I think your approach is better because we've already released fwaas v2 for L3. 14:18:48 <yushiro> mlavalle, Hi :) 14:18:51 <SridarK> yushiro: yes that was my thought too 14:19:12 <SridarK> lets comment on gerrit 14:19:13 <annp> SridarK: ok! 14:19:16 * mlavalle waves back to the entire team :-) 14:19:57 <SridarK> shall we move on to the driver ? 14:20:10 <yushiro> SridarK, yes, please. 14:20:14 <SridarK> #link https://review.openstack.org/#/c/447251/ 14:20:15 <annp> Please go ahead 14:20:18 <SridarK> annp: 14:20:23 <annp> :) 14:20:25 <SridarK> pls go ahead 14:20:33 <SridarK> annp ^^ 14:20:43 <SridarK> and annp thanks for the help on this 14:20:46 <annp> for ovs driver it's ready for reviewing and testing 14:20:58 <openstackgerrit> Yushiro FURUKAWA proposed openstack/neutron-fwaas master: OVS based l2 Firewall driver for FWaaS v2 https://review.openstack.org/447251 14:20:58 <annp> fwg can works co-existing sg now 14:21:25 <yushiro> annp, yes. 14:21:25 <annp> yushiro, did you test this driver? 14:21:35 <SridarK> annp pls upd the testing etherpad with any details so all can test 14:21:39 <SridarK> https://etherpad.openstack.org/p/fwaas-v2-l2 14:22:05 <SridarK> annp: oh very nice that u have verified co-existence with SG 14:22:27 <yushiro> annp, Now I'm testing but failed to create VM instance (No sql_connection parameter is established) 14:22:47 <SridarK> This area will need careful testing (on co-existence) 14:23:06 <yushiro> annp and I discussed yesterday and annp replied to Inessa yesterday, right? 14:23:07 <annp> SridarK: Sorry, I don't have test case here. So Tomorrow, I will try to test and update etherpad 14:23:31 <annp> yushiro, yes. You can see that on gerrit. 14:23:41 <SridarK> annp: no worries - just share any details so others can also use that info for testing 14:24:16 <annp> SridarK, thanks. I hope you have chance to verify ovs driver :) 14:24:32 <SridarK> annp: yes i will test it as well 14:24:48 <yushiro> SridarK, Now i've updated https://etherpad.openstack.org/p/fwaas-v2-l2 local.conf with OVS fw driver and L2-agent 14:24:59 <SridarK> yushiro: yes thanks for that 14:25:16 <xgerman_> +1 14:25:20 <SridarK> annp: anything else u would like to discuss ? 14:25:30 <annp> that's all from me :) 14:25:40 <annp> please go ahead 14:25:41 <SridarK> i think chandanc may be off this week 14:25:46 <yushiro> annp, I'll paste ovs-ofctl dump-flows br-int for testing. 14:26:09 <SridarK> yushiro: yes good idea 14:26:11 <annp> yushiro, really cool. it useful for debugging 14:27:10 <SridarK> and on default fwg - i think we are ready to go - in a way it would make sense for this to get after the L2 agent patch 14:27:36 <SridarK> but looks like it is in need of a blessing from CI 14:28:03 <SridarK> yushiro: annp anything else u would like to discuss on L2 14:28:17 <yushiro> SridarK, 1 thing. We've separated perfectly default fwg and l2-agent patch. 14:28:18 <SridarK> overall i think some great progress on this 14:28:28 <SridarK> yushiro: +1 14:28:44 <yushiro> 1. default fwg 2. l2-agent 3. Auto-association default fwg in l2-agent 14:28:52 <reedip_> hey guys , sorry, its a festival in India .... something similar to Hanabi 14:28:54 <reedip_> https://g.co/kgs/xgt8SL 14:29:03 <reedip_> late to join tjhe meeting 14:29:17 <SridarK> and mlavalle also many thanks for increasing the priority on the blueprint (and for joining the mtg) 14:29:28 <SridarK> reedip_: no worries 14:29:33 <SridarK> ok lets move on 14:29:37 <yushiro> Patch '3.' is just updating handle_port()... 14:29:45 <yushiro> That's all. 14:29:49 <SridarK> yushiro: ok 14:30:15 <yushiro> reedip_, sounds exellent :) 14:30:18 <SridarK> that makes more sense to me 14:30:20 <mlavalle> SridarK: should it be higher. I wanted to give it visibility, but not put the team on the spotlight, without your consent 14:30:22 <SridarK> no 14:30:37 <SridarK> mlavalle: no that is fine i think - we are making progress 14:30:43 <xgerman_> +! 14:30:43 <mlavalle> cool 14:30:49 <SridarK> mlavalle: thx again 14:31:17 <xgerman_> mlavalle when will Q-1 be cut? 14:31:29 <mlavalle> today 14:31:41 <mlavalle> we had a patch lined up last night 14:31:58 <mlavalle> but still marked as WIP 14:31:58 <SridarK> and lets get in annp's patch on constraint for port_id 14:32:17 <yushiro> SridarK, +1 14:32:20 <xgerman_> +1 14:33:24 <annp> SridarK: Is there some concerning? 14:33:40 <openstackgerrit> Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Adding unique contraint for port_id https://review.openstack.org/512154 14:33:41 <SridarK> ok on Q-1 - i think we are ok with L2 stuff getting in over the next few days and be part of Q-2 14:34:07 <reedip_> I think the migration in the port ID is not needed , TBH 14:34:15 <reedip_> I guess I am late for the party though :) 14:34:17 <SridarK> annp: no concerns - i think we are good on that - i will review again and we can close that 14:34:35 <annp> SridarK, Ok! :) 14:34:52 <xgerman_> +1 14:34:59 <SridarK> reedip_: we had some discussion on that but lets come back to that 14:35:05 <yushiro> reedip_, we talked about that before. I think it's better to keep current approach because we've already published fwaas v2 with L3. 14:35:16 <SridarK> #topic Queens Dashboard 14:35:31 <reedip_> yushiro : hmm .. ok, lets take it up in a while 14:35:35 <SridarK> #link https://review.openstack.org/#/c/475840/ 14:35:59 <SridarK> thanks SarathMekala amotoki and yushiro for jumping in as well 14:36:16 <SridarK> we have our first cut of dasboard support in 14:36:26 <yushiro> You're welcome!!! 14:36:36 <amotoki> thanks all 14:36:50 <SridarK> i think we acknowledge that there may be some tweaking reqd but it is good to have this 14:37:05 <amotoki> who wants to cut a release? it does not follow cycle-with-milestones, so we need to cut a release separately 14:37:25 <SridarK> and hopefully with L2 support in - it will be an incremental effort to add that 14:37:53 <amotoki> another info: please file bugs on remaining things on v2 dashboard with v2-dashboard tag 14:38:01 <reedip_> amotoki : ok 14:38:01 <amotoki> https://bugs.launchpad.net/neutron-fwaas-dashboard/+bugs/?field.tag=v2-dashboard 14:38:19 <SridarK> amotoki: thx for the info 14:38:20 <openstackgerrit> Nguyen Phuong An proposed openstack/neutron-fwaas master: Adding unique constraint for port_id https://review.openstack.org/512154 14:38:27 <amotoki> and we need a release note for v2 dashboard before the release 14:38:38 <yushiro> amotoki, I'd like to help for cutting. But I'm newbee :) 14:38:55 <amotoki> yushiro: i can help you if you'd try 14:38:59 <yushiro> amotoki, Thanks for launchpad link. I'll migrate from etherpad to launchpad for bug. 14:39:10 <amotoki> yushiro: it is a simple thing 14:39:19 <yushiro> amotoki, Yes, thanks. 14:39:50 <SridarK> amotoki: thx, yushiro then we can take turns 14:40:24 <amotoki> one more thing: have anyone checked zuulv3 integration with fwaas dashboard? 14:40:24 <yushiro> :) 14:40:45 <yushiro> sorry, not yet. 14:40:52 <hoangcx_> amotoki: Yes. I do 14:40:59 <xgerman_> yeah, I was hoping it would be one of the instances where it works automagically 14:40:59 <reedip_> no, but I think there is a patch for zuul by hoangcx_ 14:41:14 <reedip_> xgerman_ too positive :) 14:41:27 <SridarK> hoangcx_: can u point to ur patch pls 14:41:35 <amotoki> yeah, the dashboard consumes horizon, so one fix is needed. 14:41:42 <amotoki> this is what hoangcx_ proposed 14:41:42 <hoangcx_> https://review.openstack.org/#/c/513336/ 14:41:51 <SridarK> hoangcx_: thx 14:42:08 <xgerman_> sweet 14:42:23 <hoangcx_> I fixed gate for fwaas and then the dashboard 14:42:45 <yushiro> hoangcx_, thanks 14:42:54 <SridarK> hoangcx_: thx 14:44:53 <SridarK> anything further on dashboard ? 14:45:03 <SridarK> if not we can move on 14:45:04 <amotoki> nothing from me 14:45:18 <SridarK> ok 14:45:26 <SridarK> #topic Open Discussion 14:45:42 <SridarK> doude: thx for the pointer to the doc in last mtg 14:45:54 <doude> np 14:45:57 <yushiro> amotoki, would it be possible to support cutting tomorrow? 14:46:03 <doude> did you had tie to look at it? 14:46:09 <yushiro> s/cutting/cutting release 14:46:15 <doude> s/tie/time 14:46:15 <SridarK> doude: not yet 14:46:22 <doude> and on the review? 14:46:32 <SridarK> doude: but i will look and we can discuss more from next week 14:46:42 <xgerman_> TC elections this week; next PTG week of 2/26 in Dublin,. Ireland 14:46:44 <SridarK> if u think we are ready we can make that a regular topic 14:47:01 <doude> don't hesitate to ping me on IRC (I'm in French time zone) 14:47:10 <SridarK> doude: ok thx 14:47:13 <doude> yes 14:47:13 <amotoki> yushiro: perhaps I can 14:47:14 <reedip_> tahts UTC +2 , right? 14:47:14 <xgerman_> but doing CA hours? 14:47:16 <doude> Do you think it could land for Queens release? 14:47:23 <yushiro> amotoki, or today's midnight? (just joking) haha 14:47:24 <doude> yes UTC+2 14:47:33 <SridarK> xgerman_: will u be able to make the summit ? 14:47:36 <amotoki> yushiro: both works for me :) 14:47:38 <xgerman_> nope 14:47:52 <SridarK> doude: i think we can defn focus on that 14:48:11 <SridarK> once the L2 support is in - that should make things easier to prioritze 14:48:38 <doude> ok so until L2 stuff merge we can discuss the solution 14:48:42 <yushiro> amotoki, You're always superman :) Please help me in tomorrow's morning. 14:48:48 <SridarK> doude: sounds good 14:49:06 <doude> and then when we decided how we'll proceed, I'll rebase my patch and update it 14:49:10 <SridarK> yushiro: +1 14:49:53 <amotoki> no problem. only difference is to go to bed early or to get up later :) 14:49:55 <xgerman_> +1 14:50:01 <SridarK> :-) 14:50:31 <yushiro> hahaha 14:50:49 <SridarK> I hope many of the folks will be at the summit 14:51:09 <reedip_> Nope ... 14:51:15 <yushiro> aha, 1 thing from me. 14:51:27 <reedip_> I have a forum topic but doesnt seem to that I would be going yet 14:51:37 <yushiro> Folks, would you write your name if you join Sydney summit? https://etherpad.openstack.org/p/fwaas-meeting 14:51:56 <yushiro> in Sydney summit attendee: section :) 14:52:02 <SridarK> reedip_: oh ok 14:52:32 <yushiro> reedip_, yeah, I checked you have a presentation :) 14:53:15 <yushiro> annp, I think to test with ovs fw driver. Is it better to change sg driver for 'openvswitch' ? 14:53:39 <SridarK> yushiro: oh yes u bring up a good point 14:53:45 <xgerman_> +1 14:53:49 <annp> yushiro, yes. 14:54:02 <yushiro> OK, I'll describe in etherpad. 14:54:09 <SridarK> do we have to support SG on iptables ? 14:54:11 <annp> Please change! and let see what will happen :) 14:54:22 <xgerman_> yeah, but we should be able to run against an iptables SG, too? 14:54:34 <xgerman_> that would be similar to FWaaS stabd-alone 14:54:41 <annp> SridarK, I'm not sure, I haven't tested with this case. 14:54:50 <SridarK> annp: when u tested for co-existence with SG 14:55:02 <SridarK> what driver for SG did u use ? 14:55:09 <annp> I just tested with SG based ovs and fwg 14:55:22 <SridarK> annp: ok that is what i thought 14:55:37 <SridarK> and that seems to be the more straightforward case to support 14:55:49 <annp> yes, I think so. 14:56:00 <yushiro> done 14:56:01 <annp> We shouldn't care too much. :) 14:56:16 <yushiro> Plz check 'How to configure some config files:' section after deployed devstack. 14:56:18 <reedip_> care about what ??? ::) 14:56:19 <xgerman_> yep, as long as we document it 14:56:55 <annp> reedip, we shouldn't care iptables hybrid 14:57:01 <yushiro> yes, SG and FWG on OVS. That is our real target. 14:57:02 <reedip_> kk 14:57:49 <annp> +1 yushiro. 14:57:51 <amotoki> if hybrid plug and hybrid SG driver are used, FW rules are applied at ovs flow and SG rules are applied at linuxbrige 14:57:53 <hoangcx_> I think we need to documented it out for something like "internal fwaas" as neutron does to help other contributor understand 14:58:12 <xgerman_> +1 14:58:34 <amotoki> i believe it works so ovs native support from fwaas is enough. is it right? 14:58:45 <yushiro> amotoki, +100 14:58:59 <SridarK> yes agreed 14:59:00 <xgerman_> yep — I just thoiught we would get the Hyvrid for free 14:59:05 <yushiro> Yes, that is our target. 14:59:21 <annp> amotoki, yes, But i'm not sure. Let try to test with this case 14:59:45 <SridarK> ok we are at time (not that there is another mtg in our channel) but lets conform to the time 14:59:57 <reedip_> we have some DVR related issues as well .. I couldnt look into them but SridarK we need some input once you have time 15:00:00 <SridarK> Thanks all for attending 15:00:07 <amotoki> annp: yeah. needs tests. anyway the order of rule enforcements is important. 15:00:12 <SridarK> reedip_: got it 15:00:16 <xgerman_> +1 15:00:17 <SridarK> #endmeeting