18:45:52 <SumitNaiksatam> #startmeeting Networking FWaaS 18:45:53 <openstack> Meeting started Wed Mar 26 18:45:52 2014 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:45:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:45:56 <openstack> The meeting name has been set to 'networking_fwaas' 18:46:16 <SumitNaiksatam> SridarK RajeshMohan: there? 18:46:21 <SridarK> hi 18:46:24 <RajeshMohan> SumitNaiksatam: Hi 18:46:54 <SumitNaiksatam> RajeshMohan: apologies for the delay, but it would be nice to have you in the previous meeting as well 18:47:07 <RajeshMohan> SumitNaiksatam: I am sorry. I had a clash 18:47:16 <SumitNaiksatam> not sure if we have gary or yi today? 18:47:27 <RajeshMohan> SumitNaiksatam: I am trying to reschedule the other one 18:47:34 <SumitNaiksatam> RajeshMohan: ok great 18:47:46 <SumitNaiksatam> RajeshMohan: lots of discussion on service context over there 18:47:58 <RajeshMohan> SumitNaiksatam: I will go over them 18:47:58 <SumitNaiksatam> #topic Service Insertion and Firewall 18:48:09 <SumitNaiksatam> https://review.openstack.org/#/c/62599 18:48:42 <SumitNaiksatam> RajeshMohan: is the earlier issue raised by akihiro fixed? 18:49:13 <SumitNaiksatam> RajeshMohan: we have not rebased since march 6th 18:49:16 <RajeshMohan> SumitNaiksatam: No, I was waiitng for kevin's patch to merge. I see that it is merged now 18:49:29 <SumitNaiksatam> RajeshMohan: the one on the UTs? 18:49:32 <RajeshMohan> SumitNaiksatam: I can put back the 'router-in-use' 18:49:58 <RajeshMohan> 'router-in-use" check should take care of one issue he raised 18:50:13 <SridarK> So with this the router will not get deleted when fw-delete happens ? 18:50:20 <SumitNaiksatam> RajeshMohan: ok, lets get it wrapped up and have akihiro agree to it 18:50:23 <RajeshMohan> The other one was about router not gettng deleted 18:50:36 <SumitNaiksatam> RajeshMohan: i think the latter should be fixed now, right? 18:51:06 <RajeshMohan> SridarK: any updates on that - sorry I cannot find the link to your patch 18:51:31 <SridarK> #link https://review.openstack.org/#/c/74290 18:51:53 <RajeshMohan> SumitNaiksatam: those two will take care of what looked like bugs 18:51:55 <SridarK> one issue pending is Akihiro comments on using a ',' delimeter 18:52:12 <SridarK> oops sorry 18:52:16 <SridarK> u asked abt the bug 18:52:29 <SridarK> yes that will take care of one of Akihiro's issues 18:52:33 <SumitNaiksatam> ok good 18:52:50 <SumitNaiksatam> so RajeshMohan lets reach out akihiro once we have rebased and patched 18:52:56 <SumitNaiksatam> this will of course not mereg 18:53:32 <RajeshMohan> SumitNaiksatam: there was general issue on attributes.py file 18:53:32 <SumitNaiksatam> but if we get his approval, it will be easier to proceed once Juno opens 18:53:41 <SumitNaiksatam> RajeshMohan: what was that? 18:54:12 <RajeshMohan> SumitNaiksatam: 1 sec 18:54:17 <SumitNaiksatam> yeah 18:54:26 <SumitNaiksatam> SridarK: how is the CLI patch looking 18:54:30 <SumitNaiksatam> SridarK: are we set? 18:54:47 <SridarK> one issue pending is Akihiro comments on using a ',' delimeter for the resource list 18:55:04 <SridarK> i used a space delimiter to keep it consistent with FW rules list 18:55:38 <SridarK> there is no religion there just trying to maintain some consistency 18:55:51 <SridarK> wanted to get ur opinion and i can change it 18:56:30 <RajeshMohan> SumitNaiksatam: I cannot find it - it was the discussion on defining 'routers', 'network' etc in common file 18:56:51 <RajeshMohan> SumitNaiksatam: He was not sure if all types will make sense for all services 18:56:54 <SumitNaiksatam> SridarK: ah ok, i think we can go with what Akihiro wants (comma separated) 18:57:03 <SridarK> ok done 18:57:14 <RajeshMohan> SumitNaiksatam: Not sure if we discussed that in Advanced Services meeting 18:57:24 <SumitNaiksatam> SridarK: we can later, change the firewall rules to keep consistency 18:57:29 <SumitNaiksatam> RajeshMohan: ok 18:57:30 <SridarK> ok 18:57:43 <SumitNaiksatam> RajeshMohan: i think i recall that comment in the review 18:57:52 <SumitNaiksatam> RajeshMohan: lets leave it the way it is now 18:58:09 <SumitNaiksatam> RajeshMohan: the reviewer can get back on this if its still an issue 18:58:20 <RajeshMohan> SumitNaiksatam: Ok. I will address the comments and rebase once Sridar's patch merges 18:58:37 <SumitNaiksatam> RajeshMohan: SridarK's patch? 18:58:54 <RajeshMohan> SumitNaiksatam: yes - router not getting deleted fix 18:59:01 <SridarK> RajeshMohan: that is merged 18:59:08 <SumitNaiksatam> RajeshMohan: yeah 18:59:15 <SumitNaiksatam> RajeshMohan: that happened on March 15th 18:59:35 <RajeshMohan> SumitNaiksatam SridarK: Ok. Then I will rebase 18:59:49 <SumitNaiksatam> RajeshMohan: ok thanks 18:59:57 <SridarK> RajeshMohan: one other issue was when we try to delete these routers (which has no i/f) - Akihiro's issue 19:00:13 <SridarK> or rather a follow on to Akihiro's issue 19:00:25 <SridarK> i have an email out to u 19:00:49 <SumitNaiksatam> SridarK: i think i glossed over that 19:00:58 <SumitNaiksatam> SridarK: can't seem to recollect the context 19:01:21 <SridarK> SumitNaiksatam: when we delete - there was an issue on the db 19:01:31 <SumitNaiksatam> SridarK: ok 19:01:43 <SumitNaiksatam> SridarK: is the comment on RajeshMohan's patch? 19:01:57 <SridarK> SumitNaiksatam: No details in email to u guys 19:01:58 <RajeshMohan> SridarK: I also seem to be missing some context - To me 'Akihiro's issue' and 'router not deleted' are same 19:02:18 <SridarK> I will resend the email 19:02:30 <SumitNaiksatam> SridarK: ok great, sorry about that 19:02:57 <SridarK> RajeshMohan: /opt/stack/neutron/neutron/db/service_context.py(266)_delete_resource_context() -> service_context_id=service_context_db.id).one() ---------------------------------------------------------------------- > /usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py(2193)one() -> "Multiple rows were found for one()") (Pdb) 19:03:07 <SridarK> was the traceback 19:03:29 <RajeshMohan> SridarK: ok - got that 19:03:34 <SridarK> this copy paste comes out terribly :-) 19:03:40 <SridarK> RajeshMohan: ok great 19:03:47 <SumitNaiksatam> SridarK: but it did the trick :-) 19:03:49 <RajeshMohan> SridarK: I need to fix that as well along with rebase 19:04:03 <SridarK> RajeshMohan: ok 19:04:36 <SumitNaiksatam> RajeshMohan: if possible we should have a UT to cover that case 19:04:58 <RajeshMohan> SumitNaiksatam SridarK: Will have a patch out by end of this week 19:05:29 <SumitNaiksatam> RajeshMohan: ok thanks 19:05:42 <SridarK> ok cool i will also refactor the CLI to change as per Akihiro's comment for ',' 19:05:48 <SumitNaiksatam> we should focus on getting this in before we take up other things 19:05:55 <SumitNaiksatam> lets not lose our tempo on this 19:05:55 <SridarK> so we should be good to go when Juno reopens 19:06:13 <SumitNaiksatam> SridarK: yeah, thanks 19:06:29 <RajeshMohan> Sooner the better - I need to work on our plugin as well after that 19:06:43 <SumitNaiksatam> RajeshMohan: ok cool 19:06:52 <SumitNaiksatam> #topic 19:06:55 <SumitNaiksatam> #undo 19:06:56 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0x2969210> 19:07:15 <SumitNaiksatam> #topic Zones 19:07:47 <SridarK> so this will be a primary target for Juno 19:08:06 <SumitNaiksatam> SridarK: I think we need to discuss as a team 19:08:20 <SridarK> yes 19:08:29 <SumitNaiksatam> per our earlier discussion this was definitely a priority 19:08:32 <SridarK> i think we had some points down 19:08:32 <RajeshMohan> All firewalls have zones - though the definition of zones may differ a bit 19:08:45 <SridarK> but will be good to cover it as a team 19:08:53 <SumitNaiksatam> but still good to have a discussion 19:09:12 <SumitNaiksatam> RajeshMohan: you wanted to discuss something beyond what we have currently defined? 19:09:15 <RajeshMohan> SumitNaiksatam SridarK: We already discussed this in the HK summit 19:09:17 <SridarK> RajeshMohan: yes i think some minor diferences 19:09:30 <SridarK> across vendors 19:09:46 <RajeshMohan> I propose that we start working on the patch - after we document the API 19:09:54 <SridarK> but seems like nothing too controversial hopefully and we can have a model that works for all 19:10:25 <SumitNaiksatam> RajeshMohan: definitely, if we can crystallize the resource model and the API, we can proceed on this 19:10:43 <SridarK> perhaps we can start the discussions - i can start capturing into a doc 19:10:47 <RajeshMohan> SridarK: let's document what we mean by zones and get folks to agree 19:10:57 <SridarK> so we have something out there for all to comment 19:11:10 <SridarK> RajeshMohan: we are on the same page :-) 19:11:20 <RajeshMohan> zones - collection of neutron ports is what we were pushing in the lcehouse design summit 19:11:37 <RajeshMohan> SridarK: ok great 19:11:58 <SridarK> I see some similarities with our discussions on insertion context 19:12:11 <SridarK> service context 19:12:45 <RajeshMohan> SridarK: yes - we have to link the two at some stage - maybe at validation stage 19:13:05 <SumitNaiksatam> yeah, one general comment (i think we discussed this earlier) is that not every construct of a service needs to be represented at the neutron level 19:13:25 <SumitNaiksatam> i do agree that from a firewall perspective, zone is a fundamental construct 19:13:55 <SridarK> SumitNaiksatam: yes i think we need to discuss more on that 19:14:01 <SumitNaiksatam> however, i think we will need to convince the community that certain use cases cannot be satisfied if zones are not defined 19:14:47 <RajeshMohan> All firewalls have zones - is that not good enough :-) 19:15:02 <SumitNaiksatam> RajeshMohan: probably not 19:15:10 <RajeshMohan> we need different policy for different pair of zones 19:15:24 <SumitNaiksatam> RajeshMohan: all switches mostly support VLANs 19:15:43 <SumitNaiksatam> RajeshMohan: but we don't expose them in the neutron abstraction 19:15:51 <SumitNaiksatam> may not be the best analogy 19:15:56 <SridarK> SumitNaiksatam: i think u are saying to justify this new construct of szone 19:16:02 <SridarK> *zone 19:16:04 <SumitNaiksatam> i am just playing the devil's advocate 19:16:18 <SridarK> instead of just saying collection of ports 19:16:19 <RajeshMohan> SumitNaiksatam: Ok - we will try to build a case for firewall zones 19:16:47 <SumitNaiksatam> RajeshMohan: great 19:17:17 <SumitNaiksatam> #topic open discussion 19:17:26 <SumitNaiksatam> anything else we need to discuss? 19:17:31 <SridarK> Summit prep ? 19:17:35 <SumitNaiksatam> yeah 19:17:39 <SumitNaiksatam> thanks SridarK just typing 19:17:43 <SridarK> we should discuss will all folks 19:17:45 <SumitNaiksatam> i did post a summit session 19:17:48 <SridarK> oh ok :-) 19:18:03 <RajeshMohan> I want to propose an extension to firewall "Firewall DPI Configuration" 19:18:04 <SumitNaiksatam> like last time 19:18:21 <RajeshMohan> I can get a BP ready for that 19:18:43 <SumitNaiksatam> #link http://summit.openstack.org/cfp/details/17 19:19:07 <SumitNaiksatam> RajeshMohan: great 19:19:09 <SridarK> RajeshMohan: i attribute my baldness to debugging DPI issues on a NPU ;-) 19:19:12 <RajeshMohan> We need a knob at Firewall level to say that "IPS is enabled", "Gateway AntiVirus is enabled" and few more DPI based firewall services 19:19:19 <SridarK> so +1 on that 19:19:52 <SumitNaiksatam> i think we need to get into a room (at least some of us) to converge on the priority of topics 19:20:09 <SumitNaiksatam> anything more? 19:20:10 <SridarK> SumitNaiksatam: yes that will be great 19:20:24 <RajeshMohan> SumitNaiksatam: Sure. I am sure this will be priority for most firewall vendors 19:20:58 <RajeshMohan> SumitNaiksatam SridarK: Just to confirm. What are next actions on Firewall zones? 19:20:59 <SumitNaiksatam> yeah 19:21:23 <RajeshMohan> SumitNaiksatam SridarK: Are we going to work on a patch based on last design summit? 19:21:23 <SridarK> Lets start some discussion and capture into a doc 19:21:44 <SumitNaiksatam> SridarK: +1 19:22:07 <RajeshMohan> SridarK: IMO, we already discussed this in last two summits. We can have a quick discussion this time 19:22:48 <SridarK> RajeshMohan: ok lets get some convergence amongst the sub team 19:22:59 <SridarK> so there are no issues raised later on 19:23:25 <RajeshMohan> SridarK SumitNaiksatam: Sorry for pushing on Firewall zones but this is important for DELL plugin 19:23:40 <SumitNaiksatam> SridarK: yeah, i think we need to convince the rest of the community 19:23:48 <RajeshMohan> I am ok with one more discussion but we have discussed this a lot already 19:24:04 <SridarK> RajeshMohan: Agreed very important for us also and also for other participants 19:24:18 <RajeshMohan> SumitNaiksatam SridarK: Ok. Let's start with documentation 19:24:23 <SumitNaiksatam> RajeshMohan: there is also always an option of having vendor specific extensions 19:24:57 <SumitNaiksatam> RajeshMohan: document sounds like a good idea 19:25:05 <SumitNaiksatam> lets call it a wrap for today 19:25:12 <SridarK> ok 19:25:13 <SumitNaiksatam> unless there is something else 19:25:17 <RajeshMohan> SumitNaiksatam SridarK: ok. Thanks 19:25:20 <SridarK> nope 19:25:22 <SridarK> thanks 19:25:30 <SumitNaiksatam> thanks folks for joining 19:25:30 <SridarK> SumitNaiksatam: RajeshMohan ttyl 19:25:35 <SridarK> bye 19:25:36 <SumitNaiksatam> #endmeeting