#openstack-fwaas log

14:00:06 <SridarK> #startmeeting fwaas
14:00:07 <annp_> hi SridarK
14:00:11 <openstack> Meeting started Thu Jul 12 14:00:06 2018 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:12 <yushiro> annp_, Yeah, later is better.
14:00:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:14 <longkb> hi SridarK
14:00:15 <openstack> The meeting name has been set to 'fwaas'
14:00:25 <SridarK> #chair yushiro xgerman_
14:00:26 <openstack> Current chairs: SridarK xgerman_ yushiro
14:00:38 <SridarK> Just got back from long PTO
14:00:54 <yushiro> Welcome back, SridarK :)
14:00:56 <SridarK> sorry could not stay on top of things completely but caught up on logs
14:01:09 <SridarK> so let me do my turn today
14:01:15 <SridarK> thx xgerman_ and yushiro
14:01:27 <yushiro> OK
14:01:41 <xgerman_> o/
14:01:42 <longkb> +1 SridarK
14:01:42 <SridarK> #topic announcements
14:01:50 <SridarK> we are getting close
14:02:22 <SridarK> but seems like things are chugging along, lets get to updates quickly so we can focus on the patches
14:02:28 <SridarK> #topic FWaaS logging
14:02:45 <SridarK> #link https://review.openstack.org/#/c/529814/
14:02:58 <SridarK> #link https://review.openstack.org/#/c/553738/
14:03:06 <SridarK> annp_: longkb pls go ahead
14:03:18 <longkb> Thanks SridarK
14:03:33 <SridarK> yushiro: i think u were just asking just as we started too
14:04:02 <longkb> I draft a review plan for fwaas logging. You guys can check it in https://etherpad.openstack.org/p/Logging_service_for_FWaaS_review_plan
14:04:32 <longkb> I also mark the order for review  these patches
14:04:41 <yushiro> SridarK, yeah, longkb explains about how to test.
14:04:53 <SridarK> longkb: ah thx - very informative
14:05:04 <SridarK> so we have dependencies on the neutron patches
14:05:08 <longkb> thanks SridarK, yushiro
14:05:14 <longkb> yep
14:05:38 <SridarK> do u think the neutron patches will make it in time ?
14:06:17 <longkb> annp_: how to you think?
14:06:31 <annp_> longkb, that's great
14:06:56 <yushiro> SridarK, Currently, I think these patches in neutron are OK except some nits.  However, it's better to ask Miguel for FFE.
14:07:10 <SridarK> yushiro: ok
14:07:16 <annp_> yushiro +!
14:07:30 <annp_> SridarK, +!
14:07:35 <longkb> annp_, yushiro: +1
14:07:37 <yushiro> And annp_ will ask Miguel and Jakub :)
14:07:38 <SridarK> yushiro: so we will need an FFE for the FWaaS side as well
14:07:45 <SridarK> if we have a dependency
14:07:48 <yushiro> SridarK, Aha, yes.
14:08:01 <annp_> yushiro, I will ask Miguel in next neutron meeting for FFE
14:08:08 <SridarK> annp_: +1
14:08:33 <SridarK> Do we need all 3 neutron patches to merge before merging any patch on FWaaS side ?
14:09:00 <yushiro> I think YES. annp_ longkb , right?
14:09:24 <longkb> SridarK: I think neutron patches should be merged first
14:09:52 <annp_> Sriark, yushiro, right. We need 3 patches to get merge first.
14:10:18 <SridarK> ok so we will need 3 patches in neutron and 8 patches in FWaaS to merge on FFE
14:10:21 <annp_> Sridark, So please help us to review it. :)
14:10:35 <SridarK> annp_: yes on it will work on it today
14:10:40 <longkb> thanks SridarK
14:10:50 <annp_> SridarK, Thanks a ton!
14:11:45 <SridarK> ok do u want to discuss any other issues here
14:12:13 <annp_> SridarK, please go ahead
14:12:13 <yushiro> annp_, longkb As I said before, for testing perspective, in FWaaS side patches, do we need to add dependencies?
14:12:36 <SridarK> i think if we document our test results in a similar manner to the review plan (which is great) - we make our chances better for FFE
14:12:59 <yushiro> SridarK, +10  I think so.
14:13:07 <annp_> SridarK, +10.
14:13:24 <longkb> SridarK, +10
14:13:53 <SridarK> Is that a 10 decimal or binary ? :-) (I am trying to be like yushiro ) :-)
14:14:15 <SridarK> ok lets move on - i think we have a plan
14:14:19 <yushiro> SridarK, Hahaha :p
14:14:34 <SridarK> and now that i am back from PTO - i will also work on reviews
14:14:43 <xgerman_> sweet
14:14:50 <SridarK> #topic Remote FWG
14:14:56 <SridarK> xgerman_: pls go ahead
14:15:11 <SridarK> #link https://review.openstack.org/#/c/521207/
14:15:25 <xgerman_> Most of it is done but I am at my wits end with ovs…
14:15:47 <xgerman_> not sure how to debug that effectively :-(
14:16:11 <SridarK> sigh - let me also reach out chandanc and annp is here too
14:16:40 <xgerman_> thanks — yeah, I could probably figure it out but I also have other priorities which eat up my time :-(
14:16:55 <SridarK> xgerman_: yes indeed totally understand
14:17:01 <annp_> xgerman_, I have a question: There is no DENY action for each remote group rule?
14:17:41 <xgerman_> mmh, I thought I had deny
14:17:46 <annp_> xgerman_, I mean there are only ALLOW action for remote group rule, right?
14:18:12 <xgerman_> they are just a way to describe a group of ports so deny is plausible
14:18:51 <xgerman_> or more general we should support all actions
14:20:09 <annp_> xgerman_, OK. I got it.
14:20:14 <yushiro> remote_group_id allows from all neutron ports which is associated with its firewall_group, right?
14:20:27 <yushiro> oops, sorry.  remote_firewall_group_id.
14:20:43 <annp_> xgerman_, So we only support action "Allow" in remote group rule ATM?
14:20:44 <xgerman_> I can see also a use case where you would deny certain traffic from those ports
14:20:50 <annp_> xgerman_, right?
14:21:23 <xgerman_> I am confused then - I thought  remote FWG is another way to describe ports and it’s independent of the action
14:21:24 <SridarK> We should probab be in line with Remote SG here
14:22:30 <SridarK> And the action is another attribute in the rule (which is independent)
14:22:33 <xgerman_> aka if I have a remote FWG describing web servers I would want to  only allow certain traffic from there to a database and block the rest
14:22:43 <xgerman_> SridarK: +1
14:23:19 <annp_> SridarK, +1
14:23:50 <annp_> xgerman_, I got it. Thanks.
14:23:59 <yushiro> Aha, if we use remote_fwg_id like SG, it means 'allow traffic from neutron ports'.  However, we can also extend to use as 'deny' as SridarK said.
14:24:10 <xgerman_> yep, or drop
14:24:19 <yushiro> xgerman_, I see :)
14:24:42 <SridarK> I am not sure maybe we want alignment with SG - so there is no confusion with users
14:24:47 <SridarK> *for users
14:25:03 <annp_> SridarK, +100
14:25:12 <xgerman_> yeah, the simple case should align + more advanced users should get more latitude
14:25:30 <yushiro> xgerman_, I think it's OK to support 'allow' first like SG.  After that, we can also support 'drop' case :)
14:25:38 <xgerman_> +1
14:25:45 <yushiro> step by step :p
14:25:50 <yushiro> Yeah
14:25:54 <SridarK> xgerman_: ah yes exactyl what yushiro says
14:26:27 <annp_> SridarK, +1
14:26:52 <xgerman_> +1
14:29:50 <annp_> xgerman_, please go ahead
14:30:11 <xgerman_> yeah, the other two pieces are done (client + plugin)
14:30:29 <SridarK> ok cool xgerman_ - i reached out to chandan too - if we can leverage some of his scripts for ovs debugging (i recall he had some things)
14:30:39 <xgerman_> that would be great!!
14:30:53 <SridarK> ok cool - lets move on
14:30:57 <xgerman_> +1
14:30:57 <yushiro> +1
14:31:09 <annp_> +1
14:31:22 <SridarK> #topic Bugs
14:31:38 <SridarK> #link https://bugs.launchpad.net/neutron/+bug/1762454
14:31:38 <openstack> Launchpad bug 1762454 in neutron "FWaaS: Invalid port error on associating ports (distributed router) to firewall group" [Medium,In progress] - Assigned to Yushiro FURUKAWA (y-furukawa-2)
14:31:45 <SridarK> yushiro: thanks for picking this up
14:31:52 <SridarK> some history - i had talked to
14:31:57 <yushiro> You're welcome.
14:32:01 <yushiro> OK
14:32:31 <SridarK> swami before i left on PTO - i think we are good on the DVR side - i wanted to verify the ns implications where rules are applied
14:32:43 <SridarK> but i had concerns on the HA side
14:33:00 <SridarK> the validation check is easy but operationally i have some concerns
14:33:33 <SridarK> hence i was a bit unsure - as it requires some thorough verification
14:33:45 <SridarK> yushiro: not sure if u have more data on it
14:34:28 <yushiro> SridarK, I just checked 'device_owner' of each case and namespace structure..  Not tested yet.
14:34:46 <SridarK> yushiro: ok
14:34:51 <yushiro> each case means  1. DVR,  2. L3-HA   3.DVR + L3-HA
14:35:06 <SridarK> yushiro: ok lets talk offline on it to make sure we have no issues
14:35:30 <SridarK> I was good with (1) but (2) & (3) have some concerns on datapath
14:35:54 <SridarK> yushiro: will sync up with u more on it
14:36:08 <yushiro> SridarK, OK, thanks.
14:36:25 <SridarK> any other bugs needing discussion
14:36:44 <annp_> SriarK, Hi
14:36:56 <SridarK> annp_: pls go ahead
14:37:21 <annp_> In order to support wsgi server for neutron, there is a issue related fwaas rpc as http://lists.openstack.org/pipermail/openstack-dev/2018-June/131722.html
14:37:53 <annp_> I and zigo try to fix that at https://review.openstack.org/#/c/580327/
14:38:11 <zigo> o/
14:38:13 <annp_> and https://review.openstack.org/#/c/579433/
14:38:22 <zigo> I can confirm that the patch from annp_ works very well.
14:38:39 <SridarK> ah yes
14:38:45 <zigo> I would very much warmly welcome merging, that one plus the other wsgi patches for Neutron itself.
14:38:45 <annp_> zigo, Thanks zigo.
14:39:05 <SridarK> annp_: zigo perfect many thx
14:39:06 <xgerman_> +1
14:39:16 <SridarK> will do
14:39:24 <annp_> +10
14:39:29 <yushiro> annp_, zigo Thanks.  In order to check these behavior, do we need 2 patches (neutron + neutron-fwaas)
14:39:29 <SridarK> is there a dependency we need to be aware off ?
14:39:30 <zigo> I didn't check the v2 one though, only v1...
14:40:11 <annp_> yushiro, actually these patch doesn't depend on neutron.
14:40:40 <SridarK> annp_: ok
14:40:50 <annp_> zigo, Could you please help us to verify with v2?
14:40:51 <SridarK> will review
14:41:33 <annp_> SridarK, thanks!
14:41:47 <yushiro> annp_, You mean, if we apply https://review.openstack.org/#/c/580327/ and deploy devstack.  Then, we can check q-svc's status, right?
14:42:13 <yushiro> oops, strange english ...
14:42:13 <annp_> yushrio, off-course!
14:42:25 <yushiro> OK, will try it as well.
14:42:30 <zigo> yushiro: You need 1/ the fix for neutron to load properly using neutron-api + neutron-rpc-server at https://review.openstack.org/#/c/555608/
14:42:30 <zigo> 2/ load neutron using uwsgi (if you're with devstack, some of these will help: https://review.openstack.org/#/c/580049/ https://review.openstack.org/#/c/473718/ )
14:42:30 <zigo> 3/ the fwaas patches: https://review.openstack.org/#/c/580327/ https://review.openstack.org/#/c/579433/
14:42:40 <zigo> All of these need to be merged.
14:43:04 <zigo> Yeah, that one too... https://review.openstack.org/#/c/580327/
14:43:11 <yushiro> zigo, Thanks.  Do I need to edit some config file ?
14:43:35 <zigo> yushiro: If you're with devstack, I'm not sure, I do Debian packages integration, in my setup, it just work.
14:43:56 <annp_> zigo, These step is necessary if yushiro want to deploy neutron-api under uwsgi. otherwise we don't need.
14:44:00 <zigo> yushiro: You can also just run Debian with puppet-openstack and it will setup everything for you automatically, though that's going to be Queens ...
14:44:13 <yushiro> zigo, I usually use devstack :p  But thanks :)
14:44:14 <zigo> Right.
14:44:50 <annp_> yushrio, you can try with devstack by https://review.openstack.org/#/c/473718/
14:44:58 <yushiro> zigo, Aha!!  I had asked you same question ..
14:45:49 <yushiro> annp_, Thanks.
14:46:28 <annp_> yushrio, you should pull dow the patch and modify a bit https://review.openstack.org/#/c/473718/31/lib/neutron-legacy@94
14:46:46 <SridarK> Sounds good then we will target these 2 patches
14:46:48 <annp_> NEUTRON_DEPLOY_MOD_WSGI should be set True
14:47:07 <yushiro> annp_, +1 .  BTW, my name is yushiro.  Haha :p
14:47:38 <annp_> yushiro, oh, I'm so sorry. :)
14:47:45 <SridarK> Although yushrio - has a nice ring to it too :-)
14:47:59 <yushiro> :)
14:48:05 <yushiro> annp_, no warries
14:48:19 <SridarK> ok lets move on
14:48:21 <annp_> yushiro: thanks. :)
14:48:28 <SridarK> #topic Address Groups
14:48:37 <annp_> SridarK, thanks!
14:48:48 <SridarK> oh looks like wkite is no longer here
14:49:16 <yushiro> Oh, I couldn't reach out miguel this week..
14:49:34 <SridarK> yushiro: i will msg him
14:49:44 <yushiro> SridarK, Thank you so much.
14:49:45 <SridarK> more time zone aligned
14:49:58 <SridarK> hopefully we can get a +A
14:50:03 <SridarK> else it will be in S
14:50:10 <SridarK> #topic Open Discussion
14:50:48 <SridarK> CFP closes soon
14:51:01 <xgerman_> yep
14:51:04 <SridarK> annp_: u think u may be able to pull together something for L7 ?
14:51:30 <SridarK> not sure if u had too much time to go thru it
14:51:53 <SridarK> annp_: if u think u want to do something - we can talk on some possibilities
14:52:02 <yushiro> +1
14:52:49 <annp_> SridarK, yeah. I'd like to propose this for CFP. Do you want to become a speaker?
14:53:07 <SridarK> annp_: lets talk more - sure i can help out
14:53:23 <SridarK> annp_: but lets have a plan on the content
14:53:36 <SridarK> annp_: lets talk offline
14:53:55 <annp_> SridarK, Yes. lets sync up via email.
14:54:02 <SridarK> annp_: +1
14:54:39 <annp_> SridarK, I also want to propose this topic for vietnam openstack day :)
14:54:53 <yushiro> annp_, Sounds good :)
14:54:55 <SridarK> annp_: ok good
14:54:57 <xgerman_> +1
14:55:12 <longkb> +1 annp_
14:55:23 <annp_> SridarK, yushiro, xgerman_m thanks! :)
14:55:42 <annp_> longkb, thanks!
14:56:03 <SridarK> ok if nothing else we can end
14:56:20 <SridarK> Thx all for joining
14:56:26 <yushiro> Thanks!!
14:56:36 <SridarK> bye
14:56:38 <longkb> bye guys
14:56:39 <annp_> thanks all. See you
14:56:43 <SridarK> #endmeeting