14:00:06 #startmeeting fwaas 14:00:07 hi SridarK 14:00:11 Meeting started Thu Jul 12 14:00:06 2018 UTC and is due to finish in 60 minutes. The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:12 annp_, Yeah, later is better. 14:00:13 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:14 hi SridarK 14:00:15 The meeting name has been set to 'fwaas' 14:00:25 #chair yushiro xgerman_ 14:00:26 Current chairs: SridarK xgerman_ yushiro 14:00:38 Just got back from long PTO 14:00:54 Welcome back, SridarK :) 14:00:56 sorry could not stay on top of things completely but caught up on logs 14:01:09 so let me do my turn today 14:01:15 thx xgerman_ and yushiro 14:01:27 OK 14:01:41 o/ 14:01:42 +1 SridarK 14:01:42 #topic announcements 14:01:50 we are getting close 14:02:22 but seems like things are chugging along, lets get to updates quickly so we can focus on the patches 14:02:28 #topic FWaaS logging 14:02:45 #link https://review.openstack.org/#/c/529814/ 14:02:58 #link https://review.openstack.org/#/c/553738/ 14:03:06 annp_: longkb pls go ahead 14:03:18 Thanks SridarK 14:03:33 yushiro: i think u were just asking just as we started too 14:04:02 I draft a review plan for fwaas logging. You guys can check it in https://etherpad.openstack.org/p/Logging_service_for_FWaaS_review_plan 14:04:32 I also mark the order for review these patches 14:04:41 SridarK, yeah, longkb explains about how to test. 14:04:53 longkb: ah thx - very informative 14:05:04 so we have dependencies on the neutron patches 14:05:08 thanks SridarK, yushiro 14:05:14 yep 14:05:38 do u think the neutron patches will make it in time ? 14:06:17 annp_: how to you think? 14:06:31 longkb, that's great 14:06:56 SridarK, Currently, I think these patches in neutron are OK except some nits. However, it's better to ask Miguel for FFE. 14:07:10 yushiro: ok 14:07:16 yushiro +! 14:07:30 SridarK, +! 14:07:35 annp_, yushiro: +1 14:07:37 And annp_ will ask Miguel and Jakub :) 14:07:38 yushiro: so we will need an FFE for the FWaaS side as well 14:07:45 if we have a dependency 14:07:48 SridarK, Aha, yes. 14:08:01 yushiro, I will ask Miguel in next neutron meeting for FFE 14:08:08 annp_: +1 14:08:33 Do we need all 3 neutron patches to merge before merging any patch on FWaaS side ? 14:09:00 I think YES. annp_ longkb , right? 14:09:24 SridarK: I think neutron patches should be merged first 14:09:52 Sriark, yushiro, right. We need 3 patches to get merge first. 14:10:18 ok so we will need 3 patches in neutron and 8 patches in FWaaS to merge on FFE 14:10:21 Sridark, So please help us to review it. :) 14:10:35 annp_: yes on it will work on it today 14:10:40 thanks SridarK 14:10:50 SridarK, Thanks a ton! 14:11:45 ok do u want to discuss any other issues here 14:12:13 SridarK, please go ahead 14:12:13 annp_, longkb As I said before, for testing perspective, in FWaaS side patches, do we need to add dependencies? 14:12:36 i think if we document our test results in a similar manner to the review plan (which is great) - we make our chances better for FFE 14:12:59 SridarK, +10 I think so. 14:13:07 SridarK, +10. 14:13:24 SridarK, +10 14:13:53 Is that a 10 decimal or binary ? :-) (I am trying to be like yushiro ) :-) 14:14:15 ok lets move on - i think we have a plan 14:14:19 SridarK, Hahaha :p 14:14:34 and now that i am back from PTO - i will also work on reviews 14:14:43 sweet 14:14:50 #topic Remote FWG 14:14:56 xgerman_: pls go ahead 14:15:11 #link https://review.openstack.org/#/c/521207/ 14:15:25 Most of it is done but I am at my wits end with ovs… 14:15:47 not sure how to debug that effectively :-( 14:16:11 sigh - let me also reach out chandanc and annp is here too 14:16:40 thanks — yeah, I could probably figure it out but I also have other priorities which eat up my time :-( 14:16:55 xgerman_: yes indeed totally understand 14:17:01 xgerman_, I have a question: There is no DENY action for each remote group rule? 14:17:41 mmh, I thought I had deny 14:17:46 xgerman_, I mean there are only ALLOW action for remote group rule, right? 14:18:12 they are just a way to describe a group of ports so deny is plausible 14:18:51 or more general we should support all actions 14:20:09 xgerman_, OK. I got it. 14:20:14 remote_group_id allows from all neutron ports which is associated with its firewall_group, right? 14:20:27 oops, sorry. remote_firewall_group_id. 14:20:43 xgerman_, So we only support action "Allow" in remote group rule ATM? 14:20:44 I can see also a use case where you would deny certain traffic from those ports 14:20:50 xgerman_, right? 14:21:23 I am confused then - I thought remote FWG is another way to describe ports and it’s independent of the action 14:21:24 We should probab be in line with Remote SG here 14:22:30 And the action is another attribute in the rule (which is independent) 14:22:33 aka if I have a remote FWG describing web servers I would want to only allow certain traffic from there to a database and block the rest 14:22:43 SridarK: +1 14:23:19 SridarK, +1 14:23:50 xgerman_, I got it. Thanks. 14:23:59 Aha, if we use remote_fwg_id like SG, it means 'allow traffic from neutron ports'. However, we can also extend to use as 'deny' as SridarK said. 14:24:10 yep, or drop 14:24:19 xgerman_, I see :) 14:24:42 I am not sure maybe we want alignment with SG - so there is no confusion with users 14:24:47 *for users 14:25:03 SridarK, +100 14:25:12 yeah, the simple case should align + more advanced users should get more latitude 14:25:30 xgerman_, I think it's OK to support 'allow' first like SG. After that, we can also support 'drop' case :) 14:25:38 +1 14:25:45 step by step :p 14:25:50 Yeah 14:25:54 xgerman_: ah yes exactyl what yushiro says 14:26:27 SridarK, +1 14:26:52 +1 14:29:50 xgerman_, please go ahead 14:30:11 yeah, the other two pieces are done (client + plugin) 14:30:29 ok cool xgerman_ - i reached out to chandan too - if we can leverage some of his scripts for ovs debugging (i recall he had some things) 14:30:39 that would be great!! 14:30:53 ok cool - lets move on 14:30:57 +1 14:30:57 +1 14:31:09 +1 14:31:22 #topic Bugs 14:31:38 #link https://bugs.launchpad.net/neutron/+bug/1762454 14:31:38 Launchpad bug 1762454 in neutron "FWaaS: Invalid port error on associating ports (distributed router) to firewall group" [Medium,In progress] - Assigned to Yushiro FURUKAWA (y-furukawa-2) 14:31:45 yushiro: thanks for picking this up 14:31:52 some history - i had talked to 14:31:57 You're welcome. 14:32:01 OK 14:32:31 swami before i left on PTO - i think we are good on the DVR side - i wanted to verify the ns implications where rules are applied 14:32:43 but i had concerns on the HA side 14:33:00 the validation check is easy but operationally i have some concerns 14:33:33 hence i was a bit unsure - as it requires some thorough verification 14:33:45 yushiro: not sure if u have more data on it 14:34:28 SridarK, I just checked 'device_owner' of each case and namespace structure.. Not tested yet. 14:34:46 yushiro: ok 14:34:51 each case means 1. DVR, 2. L3-HA 3.DVR + L3-HA 14:35:06 yushiro: ok lets talk offline on it to make sure we have no issues 14:35:30 I was good with (1) but (2) & (3) have some concerns on datapath 14:35:54 yushiro: will sync up with u more on it 14:36:08 SridarK, OK, thanks. 14:36:25 any other bugs needing discussion 14:36:44 SriarK, Hi 14:36:56 annp_: pls go ahead 14:37:21 In order to support wsgi server for neutron, there is a issue related fwaas rpc as http://lists.openstack.org/pipermail/openstack-dev/2018-June/131722.html 14:37:53 I and zigo try to fix that at https://review.openstack.org/#/c/580327/ 14:38:11 o/ 14:38:13 and https://review.openstack.org/#/c/579433/ 14:38:22 I can confirm that the patch from annp_ works very well. 14:38:39 ah yes 14:38:45 I would very much warmly welcome merging, that one plus the other wsgi patches for Neutron itself. 14:38:45 zigo, Thanks zigo. 14:39:05 annp_: zigo perfect many thx 14:39:06 +1 14:39:16 will do 14:39:24 +10 14:39:29 annp_, zigo Thanks. In order to check these behavior, do we need 2 patches (neutron + neutron-fwaas) 14:39:29 is there a dependency we need to be aware off ? 14:39:30 I didn't check the v2 one though, only v1... 14:40:11 yushiro, actually these patch doesn't depend on neutron. 14:40:40 annp_: ok 14:40:50 zigo, Could you please help us to verify with v2? 14:40:51 will review 14:41:33 SridarK, thanks! 14:41:47 annp_, You mean, if we apply https://review.openstack.org/#/c/580327/ and deploy devstack. Then, we can check q-svc's status, right? 14:42:13 oops, strange english ... 14:42:13 yushrio, off-course! 14:42:25 OK, will try it as well. 14:42:30 yushiro: You need 1/ the fix for neutron to load properly using neutron-api + neutron-rpc-server at https://review.openstack.org/#/c/555608/ 14:42:30 2/ load neutron using uwsgi (if you're with devstack, some of these will help: https://review.openstack.org/#/c/580049/ https://review.openstack.org/#/c/473718/ ) 14:42:30 3/ the fwaas patches: https://review.openstack.org/#/c/580327/ https://review.openstack.org/#/c/579433/ 14:42:40 All of these need to be merged. 14:43:04 Yeah, that one too... https://review.openstack.org/#/c/580327/ 14:43:11 zigo, Thanks. Do I need to edit some config file ? 14:43:35 yushiro: If you're with devstack, I'm not sure, I do Debian packages integration, in my setup, it just work. 14:43:56 zigo, These step is necessary if yushiro want to deploy neutron-api under uwsgi. otherwise we don't need. 14:44:00 yushiro: You can also just run Debian with puppet-openstack and it will setup everything for you automatically, though that's going to be Queens ... 14:44:13 zigo, I usually use devstack :p But thanks :) 14:44:14 Right. 14:44:50 yushrio, you can try with devstack by https://review.openstack.org/#/c/473718/ 14:44:58 zigo, Aha!! I had asked you same question .. 14:45:49 annp_, Thanks. 14:46:28 yushrio, you should pull dow the patch and modify a bit https://review.openstack.org/#/c/473718/31/lib/neutron-legacy@94 14:46:46 Sounds good then we will target these 2 patches 14:46:48 NEUTRON_DEPLOY_MOD_WSGI should be set True 14:47:07 annp_, +1 . BTW, my name is yushiro. Haha :p 14:47:38 yushiro, oh, I'm so sorry. :) 14:47:45 Although yushrio - has a nice ring to it too :-) 14:47:59 :) 14:48:05 annp_, no warries 14:48:19 ok lets move on 14:48:21 yushiro: thanks. :) 14:48:28 #topic Address Groups 14:48:37 SridarK, thanks! 14:48:48 oh looks like wkite is no longer here 14:49:16 Oh, I couldn't reach out miguel this week.. 14:49:34 yushiro: i will msg him 14:49:44 SridarK, Thank you so much. 14:49:45 more time zone aligned 14:49:58 hopefully we can get a +A 14:50:03 else it will be in S 14:50:10 #topic Open Discussion 14:50:48 CFP closes soon 14:51:01 yep 14:51:04 annp_: u think u may be able to pull together something for L7 ? 14:51:30 not sure if u had too much time to go thru it 14:51:53 annp_: if u think u want to do something - we can talk on some possibilities 14:52:02 +1 14:52:49 SridarK, yeah. I'd like to propose this for CFP. Do you want to become a speaker? 14:53:07 annp_: lets talk more - sure i can help out 14:53:23 annp_: but lets have a plan on the content 14:53:36 annp_: lets talk offline 14:53:55 SridarK, Yes. lets sync up via email. 14:54:02 annp_: +1 14:54:39 SridarK, I also want to propose this topic for vietnam openstack day :) 14:54:53 annp_, Sounds good :) 14:54:55 annp_: ok good 14:54:57 +1 14:55:12 +1 annp_ 14:55:23 SridarK, yushiro, xgerman_m thanks! :) 14:55:42 longkb, thanks! 14:56:03 ok if nothing else we can end 14:56:20 Thx all for joining 14:56:26 Thanks!! 14:56:36 bye 14:56:38 bye guys 14:56:39 thanks all. See you 14:56:43 #endmeeting