#openstack-fwaas log

13:59:51 <SridarK> #startmeeting fwaas
13:59:52 <openstack> Meeting started Thu Apr 12 13:59:51 2018 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:59:53 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:59:56 <openstack> The meeting name has been set to 'fwaas'
14:00:03 <SridarK> #chair xgerman_
14:00:04 <openstack> Current chairs: SridarK xgerman_
14:00:16 <SridarK> yushiro will not be able to join today
14:00:39 <annp> hi
14:00:47 <chandanc> Hello All
14:01:47 <SridarK> We are nearing Rocky R-1 milestone
14:02:28 <xgerman_> o/
14:02:35 <SridarK> https://releases.openstack.org/rocky/schedule.html
14:03:06 <SridarK> xgerman_: any other announcements that u would like to bring up ?
14:03:44 <xgerman_> for the Vancouver people there is a CI/CD summit colocated with the OopenStack summit
14:04:40 <xgerman_> #link https://www.openstack.org/news/view/376/opendev-cicd-schedule-now-live-collaborative-technical-event-focuses-on-jenkins-spinnaker-zuul-and-more
14:04:45 <SridarK> xgerman_: oh that is interesting, do u know if the summit registration covers that ?
14:05:13 <xgerman_> yep, covered with the OpenStack pass
14:05:37 <SridarK> nice, thx for that info xgerman_
14:06:01 <wkite> Excuse me, what might I have missed?
14:06:34 <SridarK> wkite: will u be at the summit in Vancouver ?
14:07:08 <wkite> This is unlikely
14:07:18 <SridarK> wkite: if so check out the link above for a CI/CD summit that happens colocated
14:07:30 <SridarK> wkite: ok then no impact
14:07:52 <SridarK> but might be good to check out and if there are videos post event - u can catch up
14:08:00 <SridarK> ok lets move on
14:08:29 <SridarK> #topic Rocky: Pluggable backend Driver
14:08:36 <SridarK> doude: pls go ahead
14:08:45 <doude> Hi
14:09:04 <SridarK> doude: thx for addressing comments
14:09:13 <doude> I had few reviews, one from you SridarK  and two others
14:09:23 <doude> I answered them
14:10:00 <SridarK> #link https://review.openstack.org/#/c/480265/
14:10:02 <doude> and for the moment no issue was reported to me
14:10:24 <SridarK> I think yushiro had some clarifications on the tests
14:10:43 <annp> doude, have you tested with your patch in multi node environemnt?
14:10:45 <doude> #link https://etherpad.openstack.org/p/fwaas-pluggable-backend-testing
14:10:57 <doude> no I did not
14:11:25 <doude> annp
14:11:31 <annp> doube, Today I tried to test your patch, I got same result as yushiro report last metting
14:12:05 <annp> doube, Exception OVSFWaaSPortNotFound was raised.
14:12:32 <doude> ok
14:12:33 <SridarK> doude: it seems yushiro did not have u in he email - just fwd-ed it to u
14:13:11 <SridarK> annp: this was on update of FWG correct ?
14:13:23 <doude> hot it now
14:13:27 <doude> got it now
14:14:11 <annp> SridarK,I have tested with master branch, I don't see OVSFWaasPortNotFound exception
14:14:22 <SridarK> annp: thx
14:14:48 <SridarK> annp: was it updating a FWG with a port ?
14:14:55 <doude> annp can you descibe step you used to reproduce it?
14:15:36 <annp> doube, SridarK, 1st: building 1 controller node and 2 compute node with doube's patch
14:16:02 <annp> then create VM, You can see log in q-agt.service
14:16:19 <annp> Default fwg status change to ERROR
14:16:43 <doude> yushiro said in his email he reproduces it in both cases: all-in-one and multi node
14:17:17 <SridarK> annp: oh ok it is on VM create (which triggers the update on FWG)
14:17:28 <doude> ok I'll look at it
14:17:28 <annp> doude, I just tested with multi node not tested with all-in-one
14:17:35 <doude> ok
14:17:48 <doude> I've a aio ready, I can try
14:17:52 <annp> SridarK, yes
14:18:17 <SridarK> annp: ok thx and as u mention, it seems yushiro sees it in all in one itself
14:18:34 <SridarK> doude: thx can u quickly check that out and debug
14:18:57 <SridarK> annp: would u mind to put a comment on gerrit as well ?
14:19:24 <annp> SridarK, No problem. I will do.
14:19:31 <SridarK> annp: thx
14:20:22 <doude> also, I've comment from NSX developer who said they already have a NSX driver for FWaaSv2 and ask if my patch will break it
14:20:47 <doude> https://review.openstack.org/#/c/480265/19/devstack/plugin.sh@47
14:22:14 <SridarK> doude: yes I think there has to be some accompanying change but i think it may not be too bad
14:22:47 <doude> ok, but I don't get how their driver work actually
14:22:53 <doude> there is no driver interface
14:23:24 <SridarK> doude: but it will help to get that to a resolution to make sure that there is a clear path for existing users
14:24:24 <SridarK> If someone is using the community version of the pluging and only defining a backend driver - their impact should be minimal ?
14:24:35 <SridarK> just specifying the driver
14:24:44 <doude> yes
14:25:04 <SridarK> but with anyone with their version of the plugin - they will need to conform to the service driver interface
14:25:39 <doude> not sure to understand that
14:26:12 <SridarK> no they will need to specify their plugin as a flavor
14:26:41 <SridarK> doude: possibly a discussion with the reviewer to outline the changes would be good
14:26:53 <SridarK> as we dont really understand their implementation
14:27:22 <doude> ok
14:27:40 <doude> I think they implemented their own service plugin
14:27:49 <SridarK> ok
14:27:54 <doude> so event after my patch, that'll continuing to work
14:28:16 <doude> the service plugin insterface did not change with my patch
14:28:34 <SridarK> and if they want they can implement their plugin as a service driver
14:28:44 <SridarK> but as such they should be fine
14:29:25 <SridarK> ok if they are comfortable we can move on - else maybe a discussion on the channel with them will be good so u can move fwd
14:30:43 <SridarK> ok shall we move on
14:30:48 <SridarK> doude: anything else ?
14:30:54 <doude> oh no they use that driver interface https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/fwaas_base.py
14:31:07 <doude> no it's ok for me
14:32:04 <SridarK> ok
14:32:12 <SridarK> lets talk more offline
14:32:22 <doude> ok
14:32:31 <SridarK> #topic Rocky Address Group Spec
14:33:01 <SridarK> #link https://review.openstack.org/#/c/557137/
14:33:25 <SridarK> wkite: pls go ahead
14:33:42 <wkite> ok
14:33:48 <SridarK> I have also added a few comments
14:34:16 <wkite> in
14:34:37 <SridarK> annp: chandanc: also pls take a look in what we can support on the driver
14:34:48 <SridarK> we will need to do both iptables and ovs
14:34:49 <chandanc> sure SridarK
14:35:12 <annp> sure
14:35:22 <SridarK> or rather how we will support on the driver
14:35:47 <SridarK> wkite: i also echo njohnston 's comment on the address range
14:36:11 <SridarK> wkite:  is that very critical need - defn it improves usability
14:36:43 <wkite> This is a function we need
14:36:46 <SridarK> to support arbitrary ranges not along a cidr block
14:36:57 <SridarK> wkite: ok
14:37:54 <SridarK> wkite: ok lets continue this on the review
14:38:04 <SridarK> wkite: other things u want to bring up
14:38:58 <wkite> we also need multi address groups
14:39:39 <wkite> I have implemented this function with my own code.
14:40:28 <wkite> But I only implemented the driver of iptables by iprange module
14:41:29 <SridarK> wkite: we only support a single address (or range) but i can see the value of having multiple AG's
14:41:45 <SridarK> wkite: we will need to eval ovs for L2 support
14:42:27 <SridarK> lets continue discussion on the review
14:42:50 <wkite> ok
14:43:41 <SridarK> #topic Rocky FWaaS Logging spec
14:43:46 <SridarK> #link https://review.openstack.org/#/c/509725/
14:43:53 <SridarK> annp: pls go ahead
14:44:21 <SridarK> I think we just have to resolve some minor things and we should be able to move fwd ?
14:44:34 <hoangcx> SridarK: Yes
14:44:34 <annp> I'm waiting update from submiter :)
14:44:42 <SridarK> annp: ok
14:44:57 <SridarK> annp anything else u would like to bring up here ?
14:44:58 <annp> I think spec is quite close to merge.
14:45:26 <hoangcx> Oops, job failed!!!
14:45:33 <annp> SridarK, that's all from me.
14:45:49 <SridarK> ok sounds good
14:46:32 <SridarK> #topic Rocky Remote FWG
14:46:39 <SridarK> xgerman_: pls go ahead
14:46:43 <SridarK> #link https://review.openstack.org/521207
14:47:04 <xgerman_> not much progress — but I am firmaly in for R-2
14:47:13 <SridarK> xgerman_: sounds good
14:47:35 <SridarK> #topic Rocky tempest
14:48:05 <SridarK> I have been looking at this and will get something going for R-2
14:48:34 <SridarK> #topic bugs
14:49:02 <SridarK> #link  https://bugs.launchpad.net/neutron/+bug/1759773
14:49:03 <openstack> Launchpad bug 1759773 in neutron "FWaaS: Invalid port error on associating L3 ports (Router in HA) to firewall group" [Undecided,Confirmed] - Assigned to Sridar Kandaswamy (skandasw)
14:49:46 <SridarK> and we had a similar issue for DVR, I will address the DVR issue but on HA would like to get some discussion going on behavior after switchover
14:50:27 <SridarK> I dont know that we had any other bugs come up recently but it is time to do a scrub at some point soon
14:50:57 <SridarK> #topic Open Discussion
14:51:16 <annp> Hi xgerman_
14:51:22 <xgerman_> hi
14:51:31 <SridarK> We will skip Dashboard as i dont see SarathMekala - he was going to come up with a list of enhancements
14:51:40 <annp> I'm planning to start collect idea for l7 filtering
14:51:49 <SridarK> annp: +1
14:52:07 <xgerman_> nice — that’s cilium’s claim to fame
14:52:23 <annp> I think we can bring this topic to forum at vancouver summit. Do you think so?
14:52:50 <annp> xgerman_, yes, cilium is great.
14:53:02 <xgerman_> yes, we can ;-)
14:53:03 <SridarK> annp: have u had some ideas on the backend ? BPF ?
14:54:10 <annp> SridarK, actually, I just want to collect idea to start chose good solution before I implement it
14:54:32 <xgerman_> well, we should make it pluggable in any way and then just have a rference implementation
14:54:42 <annp> May be BPF and XDP is good choice. Is there any simpler than BPF and XDP?
14:54:52 <annp> :)
14:54:58 <xgerman_> iptables?
14:55:10 <SridarK> annp: ok the challenge (and part of the requirements and discussion) is we will need to support a ref implementation
14:55:13 <xgerman_> (which is BPF under the cover but…)
14:55:19 <annp> yes. maybe but i'm not sure :)
14:55:50 <xgerman_> we should also look at how Octavia/LBaaS define L7 rules
14:56:15 <SridarK> xgerman_: that would be useful
14:56:16 <xgerman_> https://developer.openstack.org/api-ref/load-balancer/v2/#l7-policies
14:56:25 <annp> xgerman_ +1
14:56:52 <xgerman_> yeah, if we can settle on a common “language” that would  make it easier for users
14:57:05 <xgerman_> I also think CCF was going in that direction
14:57:21 <annp> So I think we can create a etherpad to collect requirement and idea for L7 filtering, Do you think so?
14:57:29 <SridarK> annp: +1
14:57:58 <SridarK> xgerman_: we should also evaluate where we stand with CCF
14:58:11 <SridarK> and also the progress on CCF
14:58:31 <xgerman_> +1
14:59:17 <annp> https://etherpad.openstack.org/p/fwaas-v2-L7-filtering
14:59:30 <SridarK> annp: ok great lets add thoughts there
14:59:49 <SridarK> ok we are at time
14:59:53 <SridarK> thanks all for joining
15:00:08 <SridarK> bye
15:00:12 <annp> thanks all
15:00:14 <SridarK> #endmeeting