14:00:43 <yushiro> #startmeeting fwaas
14:00:44 <openstack> Meeting started Thu Jul 19 14:00:43 2018 UTC and is due to finish in 60 minutes.  The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:45 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:48 <openstack> The meeting name has been set to 'fwaas'
14:00:59 <yushiro> #chair SridarK xgerman_
14:00:59 <openstack> Current chairs: SridarK xgerman_ yushiro
14:01:13 <yushiro> SridarK, Maybe today is my turn :p
14:01:22 <xgerman_> o/
14:02:47 <yushiro> Hi chandanc , :p
14:02:52 <yushiro> OK, let's start.
14:02:59 <yushiro> #topic announcements
14:02:59 <chandanc> Hello all
14:03:07 <chandanc> Hello yushiro
14:03:33 <yushiro> :)
14:04:03 <yushiro> We're now R-6 https://releases.openstack.org/rocky/schedule.html
14:04:51 <yushiro> Jul 23 - Jul 27, this is Rocky-3 milestone and we need to tell Feature freeze if necessary.
14:05:21 <yushiro> Oh, network connection looks unstable in SridarK's side..
14:06:49 <SridarK_> yes i am back
14:06:56 <yushiro> Welcome back :)
14:07:18 <yushiro> CALL FOR PRESENTATIONS for Berlin summit has closed. (17th)
14:08:02 <yushiro> If you submitted some presentation, please tell us during vote-for-presentation :p
14:08:25 <yushiro> Anything else to announce?
14:08:27 <longkb> +1 yushiro
14:09:17 <SridarK_> yushiro: nothing from me
14:09:42 <yushiro> OK, thanks.
14:09:47 <yushiro> #topic Rocky
14:10:06 <yushiro> Logging for FWaaS v2
14:10:17 <yushiro> #link https://review.openstack.org/#/q/topic:bug/1720727+(status:open)
14:10:39 <yushiro> annp_, hoangcx , longkb plz go ahead.
14:10:46 <SridarK_> annp: longkb: I started going thru the patches
14:11:02 <longkb> I have updated the guide for testing: https://github.com/longkb/logging/blob/master/Ingration%20guideline%20for%20logging%20service%20in%20FWaaS.rst
14:11:14 <SridarK_> trying to piece things together so pls be tolerant of stupid questions i will continue to ask
14:11:45 <longkb> the relation between patches also created :)
14:12:10 <yushiro> longkb, good document and thanks for rebasing with relation.
14:12:23 <longkb> SridarK_: please help us to review our patches
14:12:48 <yushiro> SridarK_, Very helpful for us and that IS core reviewing :)
14:13:08 <SridarK_> yushiro: +1
14:13:20 <longkb> yushiro: A bug from libnetfilter_log has been fixed by AnNP
14:13:39 <SridarK_> So have u asked for an FFE ?
14:13:42 <longkb> We are able to catch log in /var/log/syslog now
14:14:04 <yushiro> SridarK_, Not yet but I will ask an FFE tomorrow.
14:14:14 <SridarK_> yushiro: ok
14:14:33 <annp_> SridarK, yushiro, longkb: thanks
14:14:41 <yushiro> So, annp_ longkb , we need to ask FFE for https://review.openstack.org/#/q/topic:bug/1720727+(status:open) , right?
14:14:44 <annp_> yushiro:+1
14:14:54 <longkb> annp: thanks for your greate work :D
14:15:04 <longkb> +100 yushiro
14:15:18 <annp_> yushiro, yes. Please ask our PTL for FFE
14:15:23 <yushiro> 13 patches( 8: neutron-fwaas,  4:neutron, 1:python-neutronclient)
14:15:34 <yushiro> OK,
14:15:52 <yushiro> Next,  "Remote firewall group"
14:16:02 <annp_> mlavalle, Can we send the FFE email tomorrow?
14:16:29 <annp_> maybe he is not here.
14:16:35 <yushiro> #link https://review.openstack.org/#/c/564888/
14:16:35 <SridarK_> annp_: yes
14:16:36 <xgerman_> maybe
14:17:01 <annp_> yushiro, Sorry for interrupt. Please go ahead.
14:17:13 <yushiro> I'll ask him on neutron channel as well.
14:17:19 <xgerman_> ok
14:17:31 <annp_> yushiro, +1
14:19:24 <amotoki> for python-neutronclient, we don't apply FFE. client FF will be the next week
14:19:47 <amotoki> we need to wait neutronclient from Stein for some FFE feature
14:19:48 <yushiro> amotoki, I see.  Thanks
14:19:55 <xgerman_> #link https://review.openstack.org/#/c/571331/
14:20:12 <xgerman_> will address yushiro ’s comment and that should be good
14:21:07 <SridarK_> xgerman_: shd we close on the ovs driver related conversations
14:21:15 <yushiro> xgerman_, +1
14:21:38 <yushiro> SridarK_, +1 Yes, I wanted to decide about this specification.
14:21:55 <yushiro> chandanc, Thanks for your investigation about remote firewall group.
14:21:55 <xgerman_> I am good with the outcome of the discussion
14:22:01 <xgerman_> chandanc: +1
14:22:20 <SridarK_> chandanc: yes many thx for ur time
14:22:25 <chandanc> Sure yushiro , xgerman_ . I will try to get into the ovs rules part
14:22:40 <xgerman_> thank you so much!!!
14:22:43 <SridarK_> xgerman_: yes that seems reasonable
14:23:41 <yushiro> So, we should follow SG behavior first. It means, we should add 'remote_group_id' into firewall_rule.
14:24:11 <chandanc> yushiro: yes,
14:24:15 <SridarK_> yushiro: +1
14:24:36 <xgerman_> there already is a remote_group_id on the inside
14:24:58 <yushiro> xgerman_, Aha!  That's nice.
14:25:08 <yushiro> OK, so, client patch should also fix to align with this specification.
14:25:53 <chandanc> yushiro: can i have the client patch link ?
14:26:01 <yushiro> I think that we don't need to specify 'source/destination' for remote_group_id.
14:26:06 <yushiro> chandanc, https://review.openstack.org/#/c/571331/
14:26:14 <chandanc> thanks
14:26:17 <chandanc> yushiro: +1
14:26:42 <xgerman_> yeah, I don’t really want to change the client around since that would mean an API change for an API we merged in Q
14:28:22 <chandanc> xgerman_: yushiro i will go through the client code and sumarize in mail,
14:28:39 <yushiro> Aha.  Thanks chandanc.
14:28:42 <xgerman_> the client is on top of a neutron-lib change from Q
14:28:42 <chandanc> xgerman_: i agree, we need to be careful with the client
14:28:53 <yushiro> xgerman_, I see.
14:28:59 <SridarK_> xgerman_: oh ok
14:29:31 <SridarK_> xgerman_: need to understand that more if we need to have options for both src and dst fwg
14:30:30 <xgerman_> https://developer.openstack.org/api-ref/network/v2/#fwaas-v2-0-current-fwaas-firewall-groups-firewall-policies-firewall-rules
14:31:04 <yushiro> SridarK_, Yes.  I still don't clear if we have such option in the future.
14:31:28 <yushiro> It's simple to allow ingress/egress traffic with remote_group_id ( align with SG )
14:32:18 <chandanc> SridarK_: yushiro my only worry about client changes is , if we remove src rfwg and dst rfwg and replace with only rfwg, the rules will loose its standalone meaning
14:32:18 <xgerman_> if we want to get rid of src/dst we need to start a deprecation cycle
14:32:51 <chandanc> so have to tink abit more, may be i am out of touch and need to catch up
14:32:54 <xgerman_> chandanc: +1
14:33:14 <SridarK_> Also may be if we look at it from the perspective of an L3 port then maybe it makes sense as in the API
14:33:23 <xgerman_> yep
14:33:35 <yushiro> xgerman_, Ah, I see. Our API reference has been added source/destination firewall_group ID.
14:34:02 <xgerman_> yes, we did that in Queens — so changing will be tough…
14:34:14 <xgerman_> I think we should start with L2 and add L3 in S
14:34:36 <SridarK_> we can always have some validation logic to ignore one of the them appropriately depending on whethere the rule is in an ingress or egress policy
14:34:53 <chandanc> May be we can discuss over mail, but +1 to SridarK_
14:34:57 <SridarK_> ok more thought is needed
14:35:01 <chandanc> that can be an option
14:35:03 <SridarK_> chandanc: yes
14:35:10 <xgerman_> =1
14:35:22 <SridarK_> it is some complexity but that can take care of the situation
14:35:42 <SridarK_> ok lets discuss on email so we are more clear
14:35:50 <yushiro> SridarK_, xgerman_ +1
14:36:04 <yushiro> I see. Thank you.
14:36:23 <yushiro> #topic specs
14:36:35 <SridarK_> i agree with xgerman_ that making changes to the API is a no no now
14:37:20 <yushiro> I see.  Existing API shouldn't change.
14:37:25 <SridarK_> I sent a reminder to the PTL on the address group spec - i think it is ready to go
14:37:55 <SridarK_> maybe it happens now, but if it is punted to S - will that need to fresh review ?
14:38:03 <SridarK_> not that it is a big deal
14:39:20 <yushiro> SridarK_, Yes.  I think directory should change from rocky to stein.  Super nit :p
14:39:34 <SridarK_> yes
14:40:18 <yushiro> wkite, I'm sorry I didn't have enough time to do these week.
14:40:35 <yushiro> #topic Horizon support
14:41:09 <wkite> yushiro: Never mind.
14:41:28 <SridarK_> wkite: no worries - we shd get a response soon
14:41:38 <SridarK_> i think it shd get in
14:42:27 <wkite> SridarK_: Thank you for your efforts.
14:42:39 <yushiro> +1
14:42:45 <SridarK_> wkite: no issue at all -
14:43:18 <SridarK_> I think SarathMekala is tied up with an internal release
14:44:09 <yushiro> OK
14:44:29 <yushiro> #topic bugs
14:44:35 <SridarK_> chandanc: if u can remind him - we can try to discuss the issues he was tracking
14:44:53 <chandanc> SridarK_: sure will do
14:44:58 <yushiro> SridarK_, chandanc +1  And say hello to him :)
14:45:02 <SridarK_> thx chandanc
14:45:07 <chandanc> yushiro: sure
14:46:02 <yushiro> https://bugs.launchpad.net/neutron/+bug/1762454
14:46:02 <openstack> Launchpad bug 1762454 in neutron "FWaaS: Invalid port error on associating ports (distributed router) to firewall group" [Medium,In progress] - Assigned to Yushiro FURUKAWA (y-furukawa-2)
14:46:12 <yushiro> #link https://bugs.launchpad.net/neutron/+bug/1762454
14:46:51 <SridarK_> yushiro: were u able to test the HA router scenario ?
14:47:28 <yushiro> SridarK_, I'm sorry.  I didn't have any update for it.  But I'll target L3-HA first.
14:47:48 <SridarK_> yushiro: ok we can sync up
14:47:56 <SridarK_> my concern is on on the HA
14:48:03 <SridarK_> *only on
14:48:07 <yushiro> I believe that devstack can deploy 2 network nodes and 1 compute node.
14:48:20 <SridarK_> yushiro: ok
14:49:45 <yushiro> SridarK_, I thought that in case of DVR, we can use L2 port for it.  Is there any meaning to put firewall_group into DVR port?
14:50:15 <SridarK_> yushiro: DVR is not an issue - i verified on how the rules get put into ns
14:50:39 <SridarK_> the issue is only on the naming used
14:51:18 <yushiro> I think E-W traffic in DVR can be filtered at VM port.  Ah, we can filter N-S traffic by putting DVR port.
14:51:34 <yushiro> SridarK_, yes, naming is little different ;)
14:51:40 <SridarK_> yushiro: yes it is only relevant to N - S
14:51:43 <SridarK_> here
14:51:52 <yushiro> SridarK_, I see.
14:52:16 <yushiro> OK, so, I'll test L3-HA case.
14:52:26 <SridarK_> I will update gerrit and lets sync on this HA
14:52:30 <yushiro> #topic Open Discussion
14:52:51 <SridarK_> Are we maintaining an etherpad for the Logging testing ?
14:54:29 <yushiro> annp_, I think etherpad is hyperlink page for google doc(testing) and github(devstack configuration), right?
14:54:48 <annp_> SridarK, https://etherpad.openstack.org/p/Logging_service_for_FWaaS_review_plan
14:55:08 <annp_> yushiro, right.
14:55:20 <SridarK_> sorry got it thx annp_
14:55:35 <SridarK_> will be easy to reference that
14:55:54 <annp_> SridarK_, Thanks a ton for your great reviewing
14:56:23 <SridarK_> annp_: no i have not done much - just trying to get the pieces to fit together
14:56:39 <annp_> SridarK, regards to L7 filtering I'd like to discuss with you and xgerman at PTG if I go there
14:56:54 <SridarK_> I have run the neutron patches and the first 4 fwaas patches
14:57:06 <SridarK_> * I have gone thru
14:57:10 <SridarK_> annp_: surely
14:57:29 <SridarK_> annp_: sorry i forgot to respond to ur email but we can defn talk
14:57:32 <openstackgerrit> Merged openstack/neutron-fwaas-dashboard master: fix tox python3 overrides  https://review.openstack.org/573934
14:57:42 <longkb> SridarK_: if you got any problem, please ping me or annp :D
14:57:51 <SridarK_> longkb: yes i will do that
14:58:02 <annp_> SridarK_, No worries.
14:58:06 <longkb> +10 SridarK_
14:58:21 <annp_> longkb, SridarK_: +100
14:59:57 <SridarK_> almost time
15:00:06 <yushiro> al
15:00:16 <yushiro> OK, bye bye !!
15:00:18 <yushiro> #endmeeting