18:02:50 #startmeeting Networking FWaaS 18:02:51 Meeting started Wed Feb 12 18:02:50 2014 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:52 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:55 The meeting name has been set to 'networking_fwaas' 18:03:06 garyduan: hi 18:03:10 lets start with your patch 18:03:15 Hi all 18:03:25 #topic service_type framework 18:03:46 Regarding Eugene's comment 18:04:14 garyduan: i think we are stuck with enikanorov's comment 18:04:36 garyduan: can you ping him again? 18:04:45 SumitNaiksatam: I can 18:04:48 garyduan: we really need to move on now 18:05:12 garyduan: gate is also doing better now, and RajeshMohan is waiting on this patch 18:05:20 SumitNaiksatam: another option is to add upgrade to associate existing fw to default provider 18:05:47 garyduan: can you set up an IRC meeting with enikanorov to discuss this? 18:06:00 SumitNaiksatam: OK 18:06:22 did the other folks get a chance to review garyduan's patch? 18:07:09 lets give our suggestions at the earliest so we wrap up the patch 18:07:58 garyduan: separately lets try to ping nachi again as well 18:08:09 SumitNaiksatam: sure 18:08:31 garyduan: he has a similar patch for VPNaaS, so as long as we are in sync he should be fine for this as well 18:08:59 SumitNaiksatam: right 18:09:10 sorry forgot to add link to patch 18:09:16 dem doma 18:09:20 I have a client side patchf or STF 18:09:30 #link https://review.openstack.org/#/c/60699 18:09:32 sigh :) 18:09:33 to go with Nachi's patch 18:09:41 pcm_: ok 18:10:06 pcm_: are you find with garyduan's patch ^^^ 18:10:11 *fine 18:10:33 Just joined in, what's the link(sorry)? 18:11:00 SumitNaiksatam: garyduan hi 18:11:16 i'm just walking by. how can i help? 18:11:21 pcm_: https://review.openstack.org/#/c/60699 18:11:51 enikanorov: thanks for joining, we are waiting on you for: #link https://review.openstack.org/#/c/60699 18:11:58 enikanorov: we are talking about the fwaas service framework patch 18:12:06 garyduan: thanks. I'll look at it. 18:12:10 ah, ok, yep, I have to say something on this 18:12:16 let me quickly go over the comments 18:12:27 enikanorov: regarding yours and Sumit's comments 18:12:46 enikanorov: thanks, we need to make a move on this patch since others a waiting on this 18:12:51 *are 18:13:10 ok, so you think it's fine because of experimental status. i'm ok with that 18:13:16 i'll remove -1 18:13:42 enikanorov: yeah, i dont think this in production anywhere yet (happy to be corrected) 18:13:52 enikanorov: so migration would not be a concern to me 18:13:58 and also we're now discussing flavors with markmcclain and salv-orlando, i think it will eventually take place of providers 18:14:02 what does the rest of the FWaaS team think 18:14:21 enikanorov: good to know, please include me in that discussion 18:14:25 SumitNaiksatam: is the FWaaS STF in-line with the VPNaaS patches? 18:14:32 enikanorov: just a name change? 18:14:39 yeah, it has just started but i think it going to have some implications 18:14:43 garyduan: not really 18:14:49 enikanorov: while we still have STF, we would like to make sure FWaaS is compliant 18:14:52 it's much more flexible and complex thing 18:15:27 enikanorov: we can eventually migrate along with the other services whenever they move to the new flavors or whatever it ends up being 18:15:46 pcm_: my understanding is yes 18:15:53 SumitNaiksatam: i understand. I think i'll just write an email with the problem overview and you will decide if you want to move forward with STF or wait for flavors 18:15:58 SumitNaiksatam: cool 18:16:15 enikanorov: I think, it was mentioned in HK meeting, but like to know the detail 18:16:41 garyduan: flavors is something that was proposed at least a year ago 18:16:43 enikanorov: so we have to go with STF, you are +1 for the current patch? 18:16:47 (with a bit different name may be) 18:16:55 but no one closely worked on this 18:17:08 service type fw, 'providers' is a simplistic implementation of this 18:17:53 SumitNaiksatam: i'll need to look closer to give +1 (i remember i found no issues except migration) 18:18:33 enikanorov: ok, if you can take a few minutes at the earliest, would be much appreciated 18:18:41 sure i will 18:18:48 enikanorov: great thanks 18:19:03 garyduan: anything else to discuss on this patch? 18:19:21 no 18:19:30 Thanks enikanorov and pcm_ 18:19:46 np 18:20:02 do you guys have a corresponding client side change out for review? 18:20:19 pcm_: no 18:20:24 rather, not yet 18:20:36 pcm_: what is client side change? 18:21:01 For VPNaaS we needed change to neutronclient too... https://review.openstack.org/#/c/53602/1 18:21:12 pcm_: OK 18:21:38 pcm_: not for service framework 18:22:03 pcm_: we can add similar functionality for FWaaS as well, once server side patch is in 18:22:24 yeah, just giving heads up 18:22:29 pcm_: thanks 18:22:53 ok moving on 18:23:24 #topic Service Insertion and Firewall 18:23:54 #link https://review.openstack.org/#/c/62599 18:24:04 RajeshMohan: you rebased the patch 18:24:09 thanks! 18:24:32 I am working on the agent and driver side now 18:24:37 RajeshMohan: are you on track to respond to the review comments? 18:24:47 RajeshMohan: great 18:25:11 RajeshMohan: agent and driver side changes are hopefully not too many, right? 18:25:13 I have not closely looked at review comments 18:25:20 (since it is still WIP) 18:25:41 I know I have to add unit tests to remove -2 from you 18:25:50 RajeshMohan: i think if the agent and driver side changes are small, they can all be in the same patch, no need to split further 18:25:53 Are there any other major comments 18:26:02 Ofcourse 18:26:11 THat is the plan 18:26:24 Next patch will have agent and driver changes 18:26:33 RajeshMohan: nice 18:27:02 RajeshMohan: as for comments, I dont think my comments on the validation have been fully addressed 18:27:03 SumitNaiksatam: Can you remove -2 and put -1 18:27:18 RajeshMohan: we went back and forth several times on this 18:27:25 SumitNaiksatam: Ok. 18:27:49 SumitNaiksatam: I will go through the comments again. I deferred some to do it as part service-tyep framework 18:28:02 RajeshMohan: I believe we left at the point where you were going to fix it (after rebasing) 18:28:09 RajeshMohan: yeah 18:28:19 ok moving on to the client/CLI 18:28:24 SridarK: hi 18:28:50 The thought on the CLI is something like: 18:29:11 neutron firewall-create --service-context routers= networks= subnets= ports= 18:29:39 SridarK: that looks okay 18:29:51 SridarK: it will be more like: 18:31:08 firewall-create [--service-context [routers=] [networks=] [subnets= ports=]] 18:31:22 yes ofcourse 18:31:25 SridarK: meant to indicate that the context is optional 18:31:38 absoultely that was the intent 18:31:48 SridarK: and that when the context is specified, not all types are required 18:31:55 SridarK: yeah i am sure you meant that 18:32:07 SridarK: just wanted to clarify my understanding 18:32:08 yes, i have some json dumps from RajeshMohan: 18:32:20 RajeshMohan, garyduan: does that look ok? 18:32:27 so will get a patch pushed out in the next couple of days 18:32:39 SumitNaiksatam: Just to highlight - it slightly deviates from outPI design. IN API, the list of insertion types (routers, ports) can be anything by changing validtors (without changing API). But CLI has to change if we introduce a new type of insertion 18:33:08 s/outPI/our API 18:33:09 SumitNaiksatam: looks fine 18:33:26 RajeshMohan: thats correct, in the CLI we are more explicit, but that's the client side 18:33:42 SumitNaiksatam: Just wanted to make sure that is ok 18:33:48 RajeshMohan: we would ideally like it to be more user friendly 18:34:38 RajeshMohan: i believe the other option would be not to have, say, "routers=...", but i think its better to be more explicit 18:35:13 SridarK: there used to be some quirks when having to specify a list of values 18:35:25 SumitNaiksatam: I agree with the current CLI. Just wanted to bring it up so that it is recorded that we discussed this. 18:35:34 ok rather than a single value ? 18:35:45 on each option ? 18:36:12 SridarK: i think we have some convention when we specifying the firewall rule ids for a firewall policy 18:36:24 SridarK: I would tend to think we can follow that convention 18:37:01 ok sounds good - will look at that FW Rules list SumitNaiksatam:: 18:37:06 Thanks 18:37:12 SridarK: thanks 18:37:31 RajeshMohan: do we anticipate devstack changes? 18:37:52 SumitNaiksatam: I am hoping to avoid it 18:38:10 SumitNaiksatam: If insertion type is not specified, then insert it on all 18:38:22 RajeshMohan: so default will still be on all routers? 18:38:45 i think we discussed that 18:38:48 SumitNaiksatam: If someone can update devstack, htat will be great 18:39:15 RajeshMohan: i can update devstack, just let me know what you have in mind 18:39:49 SumitNaiksatam: I am not sure if there is any change required. 18:40:40 RajeshMohan: ok good 18:41:07 SumitNaiksatam: Netork issues on my side. I am gettising refresed late 18:41:08 i think based on the tempest tests, we might need to, in case we want fwaas to be inserted as a part of the devstack process 18:41:28 and don't want to be on all routers 18:41:35 RajeshMohan: no worries 18:41:53 SridarK: so we will have a CLI patch by friday :-) 18:42:05 Will certainly shoot for that. :-) 18:42:06 SumitNaiksatam: yes, but config tells where it needs to be inserted. So, I am not sure where the no devstack changes 18:42:38 RajeshMohan: also can we remove the WIP on your patch by this friday? 18:43:03 SumitNaiksatam: I will try. Unit tests will most likely not be complete 18:43:33 RajeshMohan: as long as you have some UT, it should be fine, there will always be a case for adding more 18:43:33 SumitNaiksatam: But I will do my best to get it done by Friday 18:43:47 SumitNaiksatam: Ok. 18:44:09 RajeshMohan: with some UTs, and the patch out of WIP, people will feel more comfortable about reviewing 18:44:29 SumitNaiksatam: and without -2 :-) 18:44:39 :-) 18:45:03 RajeshMohan: yeah, i will remove, i wanted to make sure that the comment regarding the validation etc are not missed 18:45:15 it seems RajeshMohan: is hurt by the -2 ;-) 18:45:17 SumitNaiksatam: I will add validators in reference implementation context and then you can remove that 18:45:29 RajeshMohan: thanks 18:45:50 SridarK: i will be more careful :-P 18:45:57 :-) 18:46:34 anything else on this? 18:47:09 ok moving on 18:47:27 #topic Service Objects 18:47:41 ok 18:47:52 beyounn: hi 18:47:52 I'm working on the FW side of changes 18:47:59 beyounn: great 18:48:07 I may need to ping Rajesh for help when I update iptable part 18:48:24 but for now, I removed WIP from current review request 18:48:31 beyounn: ok, do we have a chance of targeting this for I3? 18:48:39 since it has passed both unit test and tempest 18:48:46 beyounn: you can send me email and we can discuss 18:48:54 Sumit:When will be I3? 18:48:57 beyounn: ok cool, i saw the update a few days back 18:49:00 Rajesh: Thanks 18:49:41 beyounn: lets keep at least the rest of the team also in the loop on that discussion 18:49:51 Sumit:sure 18:49:55 Also, 18:50:17 enikanorov has reviewed it, for everyone else, please also help to take a look 18:50:33 Since this is the first time I'm writing python, so more feedback is better 18:50:42 beyounn: milestones: #link https://wiki.openstack.org/wiki/Icehouse_Release_Schedule 18:50:49 i believe its march 4th 18:51:04 Sumit: That could be hard 18:51:18 beyounn: ok 18:51:26 Ok, I'm done 18:51:32 beyounn: whatever you are comfortable with 18:51:54 Sumit: thanks 18:52:12 beyounn: we would need corresponding CLI/client patch also for this (eventually) 18:52:26 I had CLI as well 18:52:26 #topic general discussion 18:52:40 beyounn: ok 18:52:42 https://review.openstack.org/#/c/69171/ 18:52:51 oh thanks, i missed that 18:52:59 Sumit: Please take a look 18:53:06 Since no one has review it yet 18:53:40 beyounn: but i think we first need to review and feel more comfortable about the server side patch 18:53:53 Sumit: Sure 18:53:59 enikanorov: are you still there? 18:54:09 beyounn: yes 18:54:09 so in terms of order of priority of reviews for our team, can i request that we first review garyduan's patch: 18:54:18 what is it (sorry, i'm not following the meeting) 18:54:31 #link https://review.openstack.org/#/c/60699 18:54:47 enikanorov: could you take a look at https://review.openstack.org/#/c/67784/ again 18:54:49 thanks 18:55:09 can i request all FWaaS team members to review garyduan's patch first? 18:55:25 Sumit: Sure 18:55:26 will do 18:55:29 second priority will be RajeshMohan's service insertion patch: 18:55:41 #link https://review.openstack.org/#/c/62599 18:56:17 meanwhile hopefully SridarK will have his CLI patch as well, and we can review that 18:56:36 subsequently, we beyounn should be ready with his patch: 18:56:51 #link https://review.openstack.org/#/c/67784 18:56:58 and we can review that 18:57:30 i am not suggesting that we do this sequentially, but in terms of priority i am proposing this as the plan to requests patches getting merged 18:58:01 we have pretty much been working on these lines just restating it 18:58:12 thats pretty much it from me 18:58:31 #info feature proposal freeze deadline is feb 18th 18:59:04 everyone is good otherwise? 18:59:53 ok seems like :-) 18:59:57 lets wrap up 19:00:02 bye 19:00:04 ok bye all 19:00:09 Bye all 19:00:12 bye 19:00:13 #endmeeting