18:45:52 <SumitNaiksatam> #startmeeting Networking FWaaS
18:45:53 <openstack> Meeting started Wed Mar 26 18:45:52 2014 UTC and is due to finish in 60 minutes.  The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:45:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:45:56 <openstack> The meeting name has been set to 'networking_fwaas'
18:46:16 <SumitNaiksatam> SridarK RajeshMohan: there?
18:46:21 <SridarK> hi
18:46:24 <RajeshMohan> SumitNaiksatam: Hi
18:46:54 <SumitNaiksatam> RajeshMohan: apologies for the delay, but it would be nice to have you in the previous meeting as well
18:47:07 <RajeshMohan> SumitNaiksatam: I am sorry. I had a clash
18:47:16 <SumitNaiksatam> not sure if we have gary or yi today?
18:47:27 <RajeshMohan> SumitNaiksatam: I am trying to reschedule the other one
18:47:34 <SumitNaiksatam> RajeshMohan: ok great
18:47:46 <SumitNaiksatam> RajeshMohan: lots of discussion on service context over there
18:47:58 <RajeshMohan> SumitNaiksatam: I will go over them
18:47:58 <SumitNaiksatam> #topic Service Insertion and Firewall
18:48:09 <SumitNaiksatam> https://review.openstack.org/#/c/62599
18:48:42 <SumitNaiksatam> RajeshMohan: is the earlier issue raised by akihiro fixed?
18:49:13 <SumitNaiksatam> RajeshMohan: we have not rebased since march 6th
18:49:16 <RajeshMohan> SumitNaiksatam: No, I was waiitng for kevin's patch to merge. I see that it is merged now
18:49:29 <SumitNaiksatam> RajeshMohan: the one on the UTs?
18:49:32 <RajeshMohan> SumitNaiksatam: I can put back the 'router-in-use'
18:49:58 <RajeshMohan> 'router-in-use" check should take care of one issue he raised
18:50:13 <SridarK> So with this the router will not get deleted when fw-delete happens ?
18:50:20 <SumitNaiksatam> RajeshMohan: ok, lets get it wrapped up and have akihiro agree to it
18:50:23 <RajeshMohan> The other one was about router not gettng deleted
18:50:36 <SumitNaiksatam> RajeshMohan: i think the latter should be fixed now, right?
18:51:06 <RajeshMohan> SridarK: any  updates on that - sorry I cannot find the link to your patch
18:51:31 <SridarK> #link https://review.openstack.org/#/c/74290
18:51:53 <RajeshMohan> SumitNaiksatam: those two will take care of what looked like bugs
18:51:55 <SridarK> one issue pending is Akihiro comments on using a ',' delimeter
18:52:12 <SridarK> oops sorry
18:52:16 <SridarK> u asked abt the bug
18:52:29 <SridarK> yes that will take care of one of Akihiro's issues
18:52:33 <SumitNaiksatam> ok good
18:52:50 <SumitNaiksatam> so RajeshMohan lets reach out akihiro once we have rebased and patched
18:52:56 <SumitNaiksatam> this will of course not mereg
18:53:32 <RajeshMohan> SumitNaiksatam: there was general issue on attributes.py file
18:53:32 <SumitNaiksatam> but if we get his approval, it will be easier to proceed once Juno opens
18:53:41 <SumitNaiksatam> RajeshMohan: what was that?
18:54:12 <RajeshMohan> SumitNaiksatam: 1 sec
18:54:17 <SumitNaiksatam> yeah
18:54:26 <SumitNaiksatam> SridarK: how is the CLI patch looking
18:54:30 <SumitNaiksatam> SridarK: are we set?
18:54:47 <SridarK> one issue pending is Akihiro comments on using a ',' delimeter for the resource list
18:55:04 <SridarK> i used a space delimiter to keep it consistent with FW rules list
18:55:38 <SridarK> there is no religion there just trying to maintain some consistency
18:55:51 <SridarK> wanted to get ur opinion and i can change it
18:56:30 <RajeshMohan> SumitNaiksatam: I cannot find it - it was the discussion on defining 'routers', 'network' etc in common file
18:56:51 <RajeshMohan> SumitNaiksatam: He was not sure if all types will make sense for all services
18:56:54 <SumitNaiksatam> SridarK: ah ok, i think we can go with what Akihiro wants (comma separated)
18:57:03 <SridarK> ok done
18:57:14 <RajeshMohan> SumitNaiksatam: Not sure if we discussed that in Advanced Services meeting
18:57:24 <SumitNaiksatam> SridarK: we can later, change the firewall rules to keep consistency
18:57:29 <SumitNaiksatam> RajeshMohan: ok
18:57:30 <SridarK> ok
18:57:43 <SumitNaiksatam> RajeshMohan: i think i recall that comment in the review
18:57:52 <SumitNaiksatam> RajeshMohan: lets leave it the way it is now
18:58:09 <SumitNaiksatam> RajeshMohan: the reviewer can get back on this if its still an issue
18:58:20 <RajeshMohan> SumitNaiksatam: Ok. I will address the comments and rebase once Sridar's patch merges
18:58:37 <SumitNaiksatam> RajeshMohan: SridarK's patch?
18:58:54 <RajeshMohan> SumitNaiksatam: yes - router not getting deleted fix
18:59:01 <SridarK> RajeshMohan: that is merged
18:59:08 <SumitNaiksatam> RajeshMohan: yeah
18:59:15 <SumitNaiksatam> RajeshMohan: that happened on March 15th
18:59:35 <RajeshMohan> SumitNaiksatam SridarK: Ok. Then I will rebase
18:59:49 <SumitNaiksatam> RajeshMohan: ok thanks
18:59:57 <SridarK> RajeshMohan: one other issue was when we try to delete these routers (which has no i/f) - Akihiro's issue
19:00:13 <SridarK> or rather a follow on to Akihiro's issue
19:00:25 <SridarK> i have an email out to u
19:00:49 <SumitNaiksatam> SridarK: i think i glossed over that
19:00:58 <SumitNaiksatam> SridarK: can't seem to recollect the context
19:01:21 <SridarK> SumitNaiksatam: when we delete - there was an issue on the db
19:01:31 <SumitNaiksatam> SridarK: ok
19:01:43 <SumitNaiksatam> SridarK: is the comment on RajeshMohan's patch?
19:01:57 <SridarK> SumitNaiksatam: No details in email to u guys
19:01:58 <RajeshMohan> SridarK: I also seem to be missing some context - To me 'Akihiro's issue' and 'router not deleted' are same
19:02:18 <SridarK> I will resend the email
19:02:30 <SumitNaiksatam> SridarK: ok great, sorry about that
19:02:57 <SridarK> RajeshMohan:   /opt/stack/neutron/neutron/db/service_context.py(266)_delete_resource_context() -> service_context_id=service_context_db.id).one()  ---------------------------------------------------------------------- > /usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py(2193)one() -> "Multiple rows were found for one()") (Pdb)
19:03:07 <SridarK> was the traceback
19:03:29 <RajeshMohan> SridarK: ok - got that
19:03:34 <SridarK> this copy paste comes out terribly :-)
19:03:40 <SridarK> RajeshMohan: ok great
19:03:47 <SumitNaiksatam> SridarK: but it did the trick :-)
19:03:49 <RajeshMohan> SridarK: I need to fix that as well along with rebase
19:04:03 <SridarK> RajeshMohan: ok
19:04:36 <SumitNaiksatam> RajeshMohan: if possible we should have a UT to cover that case
19:04:58 <RajeshMohan> SumitNaiksatam SridarK: Will have a patch out by end of this week
19:05:29 <SumitNaiksatam> RajeshMohan: ok thanks
19:05:42 <SridarK> ok cool i will also refactor the CLI to change as per Akihiro's comment for ','
19:05:48 <SumitNaiksatam> we should focus on getting this in before we take up other things
19:05:55 <SumitNaiksatam> lets not lose our tempo on this
19:05:55 <SridarK> so we should be good to go when Juno reopens
19:06:13 <SumitNaiksatam> SridarK: yeah, thanks
19:06:29 <RajeshMohan> Sooner the better - I need to work on our plugin as well after that
19:06:43 <SumitNaiksatam> RajeshMohan: ok cool
19:06:52 <SumitNaiksatam> #topic
19:06:55 <SumitNaiksatam> #undo
19:06:56 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0x2969210>
19:07:15 <SumitNaiksatam> #topic Zones
19:07:47 <SridarK> so this will be a primary target for Juno
19:08:06 <SumitNaiksatam> SridarK: I think we need to discuss as a team
19:08:20 <SridarK> yes
19:08:29 <SumitNaiksatam> per our earlier discussion this was definitely a priority
19:08:32 <SridarK> i think we had some points down
19:08:32 <RajeshMohan> All firewalls have zones - though the definition of zones may differ a bit
19:08:45 <SridarK> but will be good to cover it as a team
19:08:53 <SumitNaiksatam> but still good to have a discussion
19:09:12 <SumitNaiksatam> RajeshMohan: you wanted to discuss something beyond what we have currently defined?
19:09:15 <RajeshMohan> SumitNaiksatam SridarK: We already discussed this in the HK summit
19:09:17 <SridarK> RajeshMohan: yes i think some minor diferences
19:09:30 <SridarK> across vendors
19:09:46 <RajeshMohan> I propose that we start working on the patch - after we document the API
19:09:54 <SridarK> but seems like nothing too controversial hopefully and we can have a model that works for all
19:10:25 <SumitNaiksatam> RajeshMohan: definitely, if we can crystallize the resource model and the API, we can proceed on this
19:10:43 <SridarK> perhaps we can start the discussions - i can start capturing into a doc
19:10:47 <RajeshMohan> SridarK: let's document what we mean by zones and get folks to agree
19:10:57 <SridarK> so we have something out there for all to comment
19:11:10 <SridarK> RajeshMohan: we are on the same page :-)
19:11:20 <RajeshMohan> zones - collection of neutron ports is what we were pushing in the lcehouse design summit
19:11:37 <RajeshMohan> SridarK: ok great
19:11:58 <SridarK> I see some similarities with our discussions on insertion context
19:12:11 <SridarK> service context
19:12:45 <RajeshMohan> SridarK: yes - we have to link the two at some stage - maybe at validation stage
19:13:05 <SumitNaiksatam> yeah, one general comment (i think we discussed this earlier) is that not every construct of a service needs to be represented at the neutron level
19:13:25 <SumitNaiksatam> i do agree that from a firewall perspective, zone is a fundamental construct
19:13:55 <SridarK> SumitNaiksatam: yes i think we need to discuss more on that
19:14:01 <SumitNaiksatam> however, i think we will need to convince the community that certain use cases cannot be satisfied if zones are not defined
19:14:47 <RajeshMohan> All firewalls have zones - is that not good enough :-)
19:15:02 <SumitNaiksatam> RajeshMohan: probably not
19:15:10 <RajeshMohan> we need different policy for different pair of zones
19:15:24 <SumitNaiksatam> RajeshMohan: all switches mostly support VLANs
19:15:43 <SumitNaiksatam> RajeshMohan: but we don't expose them in the neutron abstraction
19:15:51 <SumitNaiksatam> may not be the best analogy
19:15:56 <SridarK> SumitNaiksatam: i think u are saying to justify this new construct of szone
19:16:02 <SridarK> *zone
19:16:04 <SumitNaiksatam> i am just playing the devil's advocate
19:16:18 <SridarK> instead of just saying collection of ports
19:16:19 <RajeshMohan> SumitNaiksatam: Ok - we will try to build a case for firewall zones
19:16:47 <SumitNaiksatam> RajeshMohan: great
19:17:17 <SumitNaiksatam> #topic open discussion
19:17:26 <SumitNaiksatam> anything else we need to discuss?
19:17:31 <SridarK> Summit prep ?
19:17:35 <SumitNaiksatam> yeah
19:17:39 <SumitNaiksatam> thanks SridarK just typing
19:17:43 <SridarK> we should discuss will all folks
19:17:45 <SumitNaiksatam> i did post a summit session
19:17:48 <SridarK> oh ok :-)
19:18:03 <RajeshMohan> I want to propose an extension to firewall "Firewall DPI Configuration"
19:18:04 <SumitNaiksatam> like last time
19:18:21 <RajeshMohan> I can get a BP ready for that
19:18:43 <SumitNaiksatam> #link http://summit.openstack.org/cfp/details/17
19:19:07 <SumitNaiksatam> RajeshMohan: great
19:19:09 <SridarK> RajeshMohan: i attribute my baldness to debugging DPI issues on a NPU ;-)
19:19:12 <RajeshMohan> We need a knob at Firewall level to say that "IPS is enabled", "Gateway AntiVirus is enabled" and few more DPI based firewall services
19:19:19 <SridarK> so +1 on that
19:19:52 <SumitNaiksatam> i think we need to get into a room (at least some of us) to converge on the priority of topics
19:20:09 <SumitNaiksatam> anything more?
19:20:10 <SridarK> SumitNaiksatam: yes that will be great
19:20:24 <RajeshMohan> SumitNaiksatam: Sure. I am sure this will be priority for most firewall vendors
19:20:58 <RajeshMohan> SumitNaiksatam SridarK: Just to confirm. What are next actions on Firewall zones?
19:20:59 <SumitNaiksatam> yeah
19:21:23 <RajeshMohan> SumitNaiksatam SridarK: Are we going to work on a patch based on last design summit?
19:21:23 <SridarK> Lets start some discussion and capture into a doc
19:21:44 <SumitNaiksatam> SridarK: +1
19:22:07 <RajeshMohan> SridarK: IMO, we already discussed this in last two summits. We can have a quick discussion this time
19:22:48 <SridarK> RajeshMohan: ok lets get some convergence amongst the sub team
19:22:59 <SridarK> so there are no issues raised later on
19:23:25 <RajeshMohan> SridarK SumitNaiksatam: Sorry for pushing on Firewall zones but this is important for DELL plugin
19:23:40 <SumitNaiksatam> SridarK: yeah, i think we need to convince the rest of the community
19:23:48 <RajeshMohan> I am ok with one more discussion but we have discussed this a lot already
19:24:04 <SridarK> RajeshMohan: Agreed very important for us also and also for other participants
19:24:18 <RajeshMohan> SumitNaiksatam SridarK: Ok. Let's start with documentation
19:24:23 <SumitNaiksatam> RajeshMohan: there is also always an option of having vendor specific extensions
19:24:57 <SumitNaiksatam> RajeshMohan: document sounds like a good idea
19:25:05 <SumitNaiksatam> lets call it a wrap for today
19:25:12 <SridarK> ok
19:25:13 <SumitNaiksatam> unless there is something else
19:25:17 <RajeshMohan> SumitNaiksatam SridarK: ok. Thanks
19:25:20 <SridarK> nope
19:25:22 <SridarK> thanks
19:25:30 <SumitNaiksatam> thanks folks for joining
19:25:30 <SridarK> SumitNaiksatam: RajeshMohan ttyl
19:25:35 <SridarK> bye
19:25:36 <SumitNaiksatam> #endmeeting