#openstack-fwaas log

14:00:06 <SridarK> #startmeeting fwaas
14:00:10 <openstack> Meeting started Thu Apr 19 14:00:06 2018 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:14 <openstack> The meeting name has been set to 'fwaas'
14:00:16 <yushiro> Hi
14:00:21 <SridarK> #chair xgerman_ yushiro
14:00:27 <openstack> Current chairs: SridarK xgerman_ yushiro
14:00:27 <annp_> Hi yushiro
14:00:44 <yushiro> Thanks SridarK and xgerman_ for last week meeting.
14:00:56 <SridarK> yushiro: no worries
14:01:15 <SridarK> i think today is xgerman_
14:01:30 <xgerman_> o/
14:01:38 <xgerman_> ok
14:01:40 <SridarK> xgerman_: hi the chair is yours
14:01:52 <xgerman_> #topic Announcements
14:01:54 <yushiro> OK, I'll do next week :)  Thanks xgerman_
14:02:24 <xgerman_> TC nominations are open: so either run yourself or read the candidate statements
14:02:33 <SridarK> +1
14:03:00 <yushiro> +1
14:03:10 <annp_> +1
14:03:28 <xgerman_> so this week R-1 should be cut
14:04:52 <xgerman_> I haven’t paid much attention and with armax gone don’t really know who is cutting it this time
14:06:05 <xgerman_> #topic Rocky: Pluggable backend Driver
14:06:10 <xgerman_> doude?
14:06:26 <yushiro> Oh, doube is not here today.
14:06:36 <SridarK> hmm ok
14:06:46 <xgerman_> anyone can comment on the open issues?
14:07:07 <SridarK> i think once we clarify on the issues on tests reported by annp_ and yushiro - we can move fwd
14:07:31 <xgerman_> ok, sounds good — R-2 it is
14:07:32 <yushiro> SridarK, yes, the cause was calling update_firewall_group instead of set_port_default_firewall_group().
14:07:35 <SridarK> Also there was some concern from VWWare on their driver that we need to clarify on
14:07:53 <SridarK> with the changes
14:08:10 <SridarK> yes i think once we address these issues we can move fwd
14:08:11 <xgerman_> +1
14:08:27 <annp_> +1
14:08:32 <xgerman_> #topic Rocky Address Group Spec
14:08:34 <SridarK> yushiro: thx i see ur comment
14:08:44 <xgerman_> #link https://review.openstack.org/#/c/557137/
14:09:20 <xgerman_> wkite: please go ahead
14:09:49 <xgerman_> we have comments from SridarK and njohnston which need to be addressed
14:10:17 <wkite> I see is concerned about the ip address range.
14:10:22 <xgerman_> yes
14:11:28 <SridarK> wkite: we will need to assess the changes that may be needed on the drivers (iptables (which may be easy) and ovs(needs some evaluation))
14:11:49 <xgerman_> BTW iptables is being replaced with BPF
14:12:11 <SridarK> wkite: there were some other minor comments - if u can address and we continue the review on gerrit
14:12:12 <annp_> +1
14:12:31 <xgerman_> +1
14:12:46 <SridarK> xgerman_: hmm - so we will need a migration strategy - is that for L3 and L2 ?
14:13:06 <xgerman_> #link https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
14:13:30 <SridarK> will be more in line with times
14:13:35 <xgerman_> yep
14:13:46 <doude> Hi, sorry late
14:13:57 <xgerman_> ok, let’s circle back
14:14:03 <yushiro> xgerman_, Aha!  I saw this document 2 days ago :)
14:14:28 <xgerman_> :-)
14:14:32 <xgerman_> #topic Rocky: Pluggable backend Driver
14:14:41 <xgerman_> doude: you have the floor
14:14:45 <doude> but no much to say, I did not had time to look at it (Contrail release plan for the end of the week)
14:15:14 <doude> I'll work on it next week
14:15:19 <doude> sorry for that
14:15:30 <xgerman_> thanks — let’s target R-2 for it thrn
14:15:32 <SridarK> doude: other than the issues reported - we should ensure VMWare has no issue
14:15:54 <SridarK> doude: i suspect we just need to clarify
14:16:05 <doude> yes I think
14:16:10 <doude> no yet confirm
14:16:37 <SridarK> lets pick it up when u have cycles next week maybe ?
14:16:49 <doude> yes I hope
14:16:50 <wkite> both iprange module of iptable and object group-based ACLs support any ip address to any ip address,we don't need subnet to check the ip range object.
14:17:46 <wkite> In other words, these problems have been solved at the driver level.
14:18:16 <yushiro> doude, I'd like to talk about the issue of current patchset.  Do you have some time after this meeting?(about 10 minutes)
14:19:31 <doude> yes yushiro
14:19:38 <SridarK> wkite: lets pick up during open discussion or on gerrit
14:20:01 <yushiro> doude, cool.  Thanks.  I'd like to discuss about how to solve current issue.
14:20:38 <yushiro> wkite, Hi.  I'll review your spec as well.  I'm sorry I was late review .
14:21:08 <xgerman_> sounds good
14:21:42 <xgerman_> #topic Rocky FWaaS Logging spec
14:21:54 <xgerman_> #link https://review.openstack.org/#/c/509725/
14:23:09 <annp_> I think the spec is look good
14:23:25 <annp_> but it should be get more attention from core
14:23:31 <SridarK> I had no major concerns too
14:23:33 <annp_> :)
14:23:48 <yushiro> will check it annp_ .  Sorry I was late as well.
14:23:49 <SridarK> let me run thru once later today and i think we can move fwd
14:23:50 <annp_> SridarK, thanks.
14:24:13 <yushiro> yes, totally LGTM I think.
14:24:22 <xgerman_> #action cores, review https://review.openstack.org/#/c/509725/
14:24:26 <annp_> yushiro, thanks.
14:24:37 <annp_> xgerman_: +1
14:25:23 <xgerman_> #topic Rocky Remote FWG
14:25:46 <xgerman_> #link https://review.openstack.org/#/c/521207/
14:26:09 <xgerman_> I split out the plugin part since the driver will need ovs conjectures — learning as I go
14:27:13 <SridarK> +1
14:27:20 <xgerman_> not sure what’s up with the gates  though
14:27:23 <annp_> +1
14:28:33 <yushiro> ++1
14:29:28 <wkite> SridarK: My network is not good, Let's discuss it on gerrit.
14:29:39 <SridarK> wkite: ok
14:30:30 <xgerman_> Today was fast
14:30:36 <xgerman_> #topic Open Discussion
14:31:20 <yushiro> ya :)
14:31:26 <wkite> yushiro:welcome,thx
14:31:44 <xgerman_> ok, for the ones who have not cimmented yet:
14:31:48 <xgerman_> #link https://etherpad.openstack.org/p/fwaas-v2-L7-filtering
14:32:16 <annp_> xgerman_: are you going to vancouver?
14:32:23 <xgerman_> yes
14:32:30 <yushiro> annp_ has registered forum candidate about l7 and logging.
14:32:38 <xgerman_> nice
14:32:43 <annp_> I just add this topic at vancouver forum
14:32:51 <xgerman_> +1000
14:32:55 <yushiro> xgerman_, SridarK Unfortunately, I cannot go Vancouver summit ;;  But annp_ can join :)
14:33:07 <SridarK> yushiro: oh sorry
14:33:12 <xgerman_> :-(
14:33:16 <SridarK> annp_: so u will be there
14:33:45 <annp_> Yes, I can join the summit. Yushiro I'm so sad to hear that
14:34:24 <SridarK> So it seems that 3 of us will be there
14:34:44 <yushiro> yees :)  Safety trip !!
14:35:26 <annp_> SridarK, yes. maybe there are more member. Because Foundation will give us free hotel
14:35:41 <SridarK> annp_: ok
14:35:52 <yushiro> Ah, I found some minor issue about devstack configuration for [fwaas]firewall_l2_driver
14:36:07 <yushiro> Sorry, just changing a topic.
14:36:09 <xgerman_> go ahead
14:36:51 <yushiro> If we specify FW_L2_DRIVER=ovs in local.conf,  [fwaas]firewall_l2_driver is added on /etc/neutron/plugins/ml2/ml2_conf.ini
14:37:34 <annp_> xgerman_, Do you think we should prepare some document for L7 filtering such as how L7 rule look like in fwaas?
14:37:36 <yushiro> However, it wasn't loaded successfully.   -->  firewall_l2_driver = noop
14:38:42 <xgerman_> annp_: yes, it’s always good to have something to show in the session
14:38:46 <SridarK> yushiro: do u see what is happening ?
14:39:03 <yushiro> I defined [fwaas]firewall_l2_driver = openvswitch into /etc/neutron/l3_agent.ini by manually, it succeeded.
14:39:37 <SridarK> annp_: i think u can have a workflow, what the rules will look like and what is needed from an implementation to achieve this
14:39:40 <yushiro> SridarK, Now I'm researching and haven't clarified yet.
14:39:48 <SridarK> yushiro: ok
14:40:07 <xgerman_> +1
14:40:21 <xgerman_> we really need to get our tempest house in order
14:40:46 <SridarK> xgerman_: +1 will get on that shortly
14:41:00 <SridarK> we have no L2 coverage at all
14:41:40 <SridarK> yushiro: this is odd - some regression or some change in devstack
14:41:49 <SridarK> possibly impacts us
14:42:09 <yushiro> SridarK, Yes, I think so too.  Only effects developer :)
14:42:20 <annp_> xgerman_, SridarK, +1, So we will investigate and create a basic workflow for L7 fitlering before the summit. I will create a mail thread for that. Is it ok?
14:42:39 <SridarK> annp_: +1
14:42:51 <yushiro> annp_, That's good.
14:42:52 <annp_> SridarK, thanks. :)
14:43:05 <xgerman_> +1
14:43:08 <annp_> +1
14:43:48 <yushiro> annp_, I think it's more better to talk about backend technology.
14:44:24 <yushiro> xgerman_ pasted the link about BPF replacing in linux kernel instead of iptables.
14:44:28 <annp_> In addition, As you know, iptables is being replaced by bpfilter So we can come up with bpf
14:44:41 <yushiro> Yes, that is :p
14:44:41 <annp_> I think :)
14:45:37 <yushiro> annp_, do you have link for forum candidate ?
14:45:39 <xgerman_> yep, we just need to check kernel versions — things move slow in OpenStack
14:45:53 <yushiro> xgerman_, +1
14:46:29 <annp_> http://forumtopics.openstack.org/cfp/details/144
14:46:41 <yushiro> THX!
14:47:29 <xgerman_> +1
14:48:13 <annp_> I think we can discuss more in next mtg.
14:48:20 <annp_> :)
14:48:30 <SridarK> sounds good annp_
14:48:33 <yushiro> Yes
14:48:34 <xgerman_> we should probably beef up the description
14:48:46 <annp_> yushiro, Do you want to discuss with double's patch now?
14:48:46 <xgerman_> not sure who is revieiwing this and whow familiar they are with FWaaS V2
14:49:06 <yushiro> annp_, Yes, OK
14:49:12 <yushiro> ping doude
14:50:12 <yushiro> https://review.openstack.org/#/c/480265/19/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@294
14:50:33 <doude> yushiro: ack
14:50:58 <yushiro> doude, Plz open above link ^^^
14:51:05 <annp_> xgerman_, +1. Can you update the description for l7 filtering? Because I'm not good at english and also technical :)
14:51:25 <xgerman_> I can comment :-)
14:51:42 <doude> done yushiro
14:51:54 <annp_> xgerman_, yeah. Thanks in advance.
14:53:04 <yushiro> doude, In handle_update_port(), we shouldn't call update_firewall_group().   And, I think we have 2 solutions.
14:54:19 <yushiro> 1. Implement set_port_for_default_fwg() into plugin layer and call this method
14:55:28 <yushiro> 2. call update_firewall_group with some parameter (e.g. ignore_validation=True) and merge set_port_for_default_fwg into update_firewall_group
14:56:25 <yushiro> Could you tell your opinion for plugable backend perspective.  I think you'd like to avoid calling set_ports_for_default_fwg().
14:56:44 <doude> you mean we doesn't call update_firewall_group agent RPC method?
14:57:26 <yushiro> doude, Yes. and performance perspective, at that timing, we should call set_ports_for_default_fwg().
14:58:39 <doude> what's set_port_for_default_firewall_group ?
14:58:57 <yushiro> https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/db/firewall/v2/firewall_db_v2.py#L1113
14:59:08 <yushiro> DB layer's method.
14:59:26 <annp_> set_port_for_default_fwg just added port to firewall group associated table.
15:00:04 <doude> so how the agent aware of port added to FG?
15:00:38 <xgerman_> annp_: commented on the forum proposal
15:00:41 <SridarK> doude: L2 scenario is handled a bit differently
15:00:54 <annp_> doube, agent will receive a port add event if there is a port is added to bridge
15:00:57 <xgerman_> also time - should we close the meeting?
15:01:05 <SridarK> xgerman_: +1
15:01:08 <yushiro> xgerman_, Yes, It's OK to close :)
15:01:13 <xgerman_> #endmeeting