18:47:44 #startmeeting Networking FWaaS 18:47:45 Meeting started Wed Apr 30 18:47:44 2014 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:47:46 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:47:48 The meeting name has been set to 'networking_fwaas' 18:48:06 #topic STF patch 18:48:27 btw, SridarK garyduan, still here? 18:48:33 yes 18:48:37 SumitNaiksatam: yes here 18:49:16 sorry for the delay 18:49:23 no worries 18:49:37 garyduan: thanks for taking the effort on the STF patch 18:49:54 garyduan: you saw some of the discussions on flavors 18:50:11 garyduan: i am hoping that STF will stil be used 18:50:34 SumitNaiksatam: I think it will, right? 18:50:44 garyduan: enikanorov_ is proposing that 18:50:46 SumitNaiksatam: eventually need to map to driver 18:50:55 garyduan: i am not sure everyone is on board though 18:51:09 i guess only the mapping part will change ? 18:51:16 garyduan: if we like that idea we should push for it 18:51:20 SumitNaiksatam: the alternative is everyone write their plugin 18:51:23 SridarK: true, some changes 18:51:49 garyduan: yeah, that should not be the only option 18:52:02 garyduan: SumitNaiksatam perhaps from a vendor perspective we need to start with writing as a svc plugin 18:52:14 and refactor when this becomes avail ? 18:52:50 SridarK: certainly an option, perhaps will illustrate to the community the need for the framework, once they see common code 18:52:51 SridarK: that would be quite difficult 18:53:02 SridarK: i think you need to target a driver from the beginning 18:53:11 but certainly helps vendors to make progress 18:53:25 enikanorov_: agree only on timing of release cycles for products 18:53:45 moving from plugin to driver can be difficult 18:53:54 enikanorov_: the concern here is that the vendors have not been able to make progress in the entire icehouse cycle 18:53:58 as you need to deprecate, change deployment practive, etc 18:54:01 enikanorov_: rather i meant that is the only reason to take that extreme approach 18:54:10 enikanorov_: and there is stil no clear path for them in Juno 18:54:59 enikanorov_: if there is a way to provide enough evidence that they can get a driver out based on a framework, within Juno, we are forcing them to take this extreme approach 18:55:00 SumitNaiksatam: i think that's a management problem. we need to bring those who 'not onboard' to our meetings or to propose alternative approaches 18:55:21 enikanorov_: i agree there is a process issue 18:55:47 otherwise it all can be unproductive. And i personally think that issue is no big deal from impl perspective 18:55:48 we are having meetings in the community including this one 18:55:54 but rather important from UX perspective 18:56:14 not sure what more to do to get people to participate 18:56:28 SumitNaiksatam: yeah, but I noticed that bps are getting reviewed by whole oother group of people :) 18:56:53 (then who attend the meetings i mean) 18:57:06 enikanorov_: i believe you are saying that those review bps dont attend these meetings 18:57:10 enikanorov_: i agree 18:57:15 yep 18:57:23 I do hope we can get this adopted and agreed upon even if we start getting it out in phases 18:57:38 enikanorov_: i think the people who attend the meetings should commet on the reviews and reference the discussion in the meetings 18:57:48 *comment 18:57:51 anyway 18:58:02 we digressed a bit 18:58:10 sorry 18:58:21 enikanorov_: so you plan to bring up the STF tie in as separate bp spec? 18:58:35 oh... 18:58:39 SridarK: no, not at all 18:59:13 i can take it, but i'm not sure i'll have enough bandwidth for this 19:01:38 enikanorov_: understandable 19:01:38 SumitNaiksatam: The notion of keeping STF is good - so with garyduan: 's work for fwaas - vendors have something to work against - i think that will be easier to digest 19:01:38 SridarK: agree 19:01:38 i think basically we need to work with mark macclain to resolve his concerns 19:01:38 garyduan SridarK: any chance that you will have the bandwidth to refactor STF? 19:01:38 enikanorov_: ok 19:01:39 SumitNaiksatam: no problem 19:01:39 SumitNaiksatam: i can help some - but i may get oversubscribed - we can talk offline 19:01:44 * SumitNaiksatam thinks this is quite a bit of a heavy protocol to have to individually reach out to people 19:01:55 garyduan SridarK: good 19:02:08 enikanorov_: lets bring this up with the PTL, what say? 19:02:34 yes sure 19:03:34 #action SumitNaiksatam enikanorov_ to reach out to mestery and mark mcclain to sort out the future of the service provider framework 19:03:49 https://wiki.opendaylight.org/images/HostedFiles/Fedora20_ODL_OpenStack.zip 19:05:00 * SumitNaiksatam happy to see mestery participate in some way in FWaaS :-) 19:05:14 on next topic 19:05:15 SumitNaiksatam: Yes me too! 19:05:31 mestery: we wanted to reach out to you regarding the service provider framework 19:05:32 wondering about STF for VPNaaS as well 19:05:38 pcm_: good 19:05:54 mestery: wondering if this meeting is a good time, or we should send you an meail 19:05:56 email 19:06:00 Nachi had a review (and I had client code), but both nixed in icehouse 19:06:05 SumitNaiksatam: Lets see what we can cover her 19:06:29 the firewall and the VPN vendors are having a really tough time integrating their drivers 19:06:43 Guess we should have a common solution for all services (and maybe push up to common code)? 19:06:56 SumitNaiksatam: yeah, that be me 19:06:57 they have tried to use the service time framework (which is now evolving to flavors) before, but their patches are on hold now 19:07:01 SumitNaiksatam: yes you are right, we need to have the Framework sorted out for the services. 19:07:12 pcm_ Swami: yes 19:07:28 mestery: so while we are making progress with the flavors discussion 19:07:38 mestery: how that ties in to the backed provider is not clear 19:07:56 SumitNaiksatam: OK. Any plans there or ideas? 19:08:01 mestery: enikanorov_ has been suggesting that we reuse the existing service type framework for that 19:08:14 That makes some sense. :) 19:08:14 mestery: others seem to be in agreement 19:08:33 enikanorov_: can you share your thoughts? or what the objections are? 19:08:38 mestery: there's however some specifics. right now STF has a bit of public API 19:08:49 and that bit is not quite suitable for public clouds 19:09:00 so we just remove it in favow of flavor framework 19:09:04 *in favor 19:09:23 but STF is also a dispatching mechanism from rest calls to vendor drivers 19:09:29 that part is really useful 19:10:26 enikanorov_: so your proposal is to refactor that part and keep it 19:10:47 i also have not see any alterante proposal 19:10:48 SumitNaiksatam: exactly 19:11:17 enikanorov_: also if this keeps the plugin - driver i/f reasonably intact except for the provider scheduling aspect - something to start off with 19:11:47 mestery: some of the firewall team members participating here and representing vendors are suggesting that they might have to take extreme approach of creating vendor specific service plugins if they dont have a resolution to this 19:12:03 mestery: i am guessing this is the same with VPNaaS as well 19:12:11 SumitNaiksatam: Understood. So is hte issue we need to get the framework merged soon? 19:12:15 enikanorov_: perhaps "reasonably" is a bit of a stretch but atleast something to start with 19:12:26 i think that approach is not good, it will create a lot of contention once API will develop 19:12:48 SridarK: it will keep plugin and driver's interface 19:12:54 mestery: i believe the issue is that there is some opposition to keeping that part of the STF 19:13:05 enikanorov_: i am articulating the issue correctly? 19:13:13 SumitNaiksatam enikanorov_: Understood. 19:13:33 SumitNaiksatam: as far as i understand, the concern is about user allowed to chose implementation (vendor) 19:13:44 same issue with VPNaaS, currently, no way to support mutiple providers. 19:13:48 so it's about implementation typesbeing exposed 19:13:57 enikanorov_: but you are addressing that with the flavors framework 19:14:11 once we hide it behind flavors - we still can leverage dispatching mechanism of STF 19:14:24 enikanorov_: so ideally once that is addressed there should not be an issue with using STF in the backend 19:14:27 still can = still should 19:14:35 SumitNaiksatam: yes 19:14:42 mestery: ok it seems like we need your nod on this 19:14:49 I think it's the most feasible way 19:14:58 SumitNaiksatam: so right now i'm suggesting to merge the patch STF+fwaas, removing 'provider' from public API 19:15:10 enikanorov_: agree 19:15:18 SumitNaiksatam: it's 'noop' from functionality perspective, but a basis for flavors applied to fwaas 19:15:24 this seems like a light at the end of the tunnel :-) 19:15:24 SumitNaiksatam: OK, understood. Doing 2 meetings at once now, apologies. :) 19:15:43 mestery: no worries, at least you are listening to us :-) 19:15:49 :) 19:15:49 mestery: u need to clone urself :-) 19:15:54 SridarkK: :P 19:16:02 SridarK: :D 19:16:21 enikanorov_ garyduan: i think we should push forward with the proposal 19:16:26 So, once flavors is avail, we'll have the selection (UI) component. in the meantime use the same method of selecting (sole) default provider in neutron.conf? 19:16:48 pcm_: i would think so 19:17:14 pcm_: yes 19:17:31 sounds good to me... hsip it :) 19:17:32 enikanorov_: if this flies then it will be refactoring a STF implementation to flavors 19:17:35 ship 19:17:45 SridarK: not exactly 19:17:58 SridarK: STF is a bit of different part of mechanism 19:18:04 enikanorov_: 19:18:06 STF is about dispatchin rest calls to drivers 19:18:19 Flavors is about cheduling service instance to a driver and to a backend 19:18:24 enikanorov_: agree at least better than svc plugin to flavors 19:18:36 enikanorov_: that is what i meant 19:18:41 ok 19:19:00 enikanorov_: can we have a short write up of how the STF refactoring should happen in your opinion? 19:19:09 enikanorov_: i know you are swamped 19:19:17 enikanorov_: but we need to be on the same page 19:19:19 SumitNaiksatam: yes, will do 19:19:30 SumitNaiksatam: should i post it to neutron spec? 19:19:35 ok good, enikanorov_ thanks 19:19:39 enikanorov_: sure 19:19:42 ok 19:19:52 we can then decide, who can take that up 19:20:10 garyduan: perhaps you can follow up on that 19:20:12 enikanorov_: that would be nice 19:20:28 SumitNaiksatam: ok 19:20:34 #action enikanorov_ to post STF refactor proposal 19:20:37 enikanorov_: perhaps a few of us can also discuss at some point during the summit 19:20:48 SumitNaiksatam: I will submit the spec to gerrit 19:21:02 SridarK: sure 19:21:35 SridarK: i would hope we sort this out before the summit 19:21:46 that would be ideal :-) 19:21:48 SumitNaiksatam: yes that would be best 19:22:01 +1 19:22:10 enikanorov_: thanks much for that 19:22:13 mestery: as well 19:22:17 sumit: can you include me in any offline discussion 19:22:24 Swami: of course 19:22:43 SumitNaiksatam: thanks 19:22:57 garyduan are you feeling more comfortable now? 19:23:05 regarding STF patch that is 19:23:28 SumitNaiksatam: :-) 19:23:36 ok moving on 19:23:52 #topic Firewall Zones 19:24:08 SridarK: can you provide upate? 19:24:15 *udpate 19:25:04 some more questions on how we want to model zones - whether as a neutron resource or we can provide this as a list of existing neutron resources (ports etc) 19:25:45 from the service context discussion perhaps as a list seems more in line ? 19:26:54 Also thinking in terms of zones and service context looking at zones as a subset of where the service is inserted 19:27:33 SridarK: okay 19:27:42 SridarK: you were working on a document for this 19:27:54 capturing some thoughts for perhaps an internal discussion and the push it up 19:27:56 i am still a little bit on the fence 19:27:59 yes 19:28:16 it seems like an uphill battle to convince the rest of the community 19:28:29 we will do it if it is required 19:28:53 but we need to see what our priorities are 19:29:04 garyduan: what do you think? 19:29:18 SridarK: sorry, commenting without looking at the doc 19:29:22 I think port is fine 19:29:33 SridarK: but since you mentioned that there might be an alternative 19:29:34 SumitNaiksatam: are u saying for zones or more in general on services insertion etc 19:29:36 garyduan: ok 19:29:39 for edge firewall, this concept still applies 19:29:44 SridarK: i meant zones 19:30:07 SumitNaiksatam: no issues - want to have more discussion on this - so that is good 19:30:20 garyduan: with the current service insertion suggestion, we might be able to apply the service on a port 19:30:51 SumitNaiksatam: ok - i think we will put in usecases across vendors and customers to what extent can be shared 19:31:05 SumitNaiksatam: yes. that's why i was thinking in that direction too 19:31:28 SridarK: ok good, and we can accordingly validate if the current service insertion suggestion help 19:31:32 garyduan: ok good 19:31:50 SumitNaiksatam: garyduan: But we will need different FW instances for each zone pair ? 19:31:53 SumitNaiksatam: but I believe there some use cases that the traditonal zone fits better 19:32:20 SumitNaiksatam: just to confirm, when we apply server to ports, there also be direction info, right? 19:32:31 s/server/service/ 19:32:43 beyounn: good question 19:33:01 beyounn: i believe if we have direction notion, then it will satisfy zones requirement? 19:33:14 SumitNaiksatam: i saw direction in latest doc from Kanjie 19:33:28 SumitNaiksatam: that is my feeling 19:33:49 SridarK: i am not completely sure about that 19:34:06 beyounn: so we have direction in the firewall rules, right? 19:34:23 SumitNaiksatam: ok 19:34:56 SumitNaiksatam: when we want is something like "from zone1 to zone2 match source_address,dest_address,port.. then reject" 19:35:02 s/when/what/ 19:35:28 SumitNaiksatam:but from zone2 to zone1 the rule can be different 19:35:34 i doubt that service insertion is going to have a directional notion 19:36:01 beyounn: yes 19:36:58 i am just trying to look up what is the notion of direction on our firewall rules 19:37:30 oh actually we dont have direction 19:37:38 we have source and destination 19:37:50 SumitNaiksatam: we only have src , dst 19:38:08 how about we still stick with Zone and build test case around of it and then compare with service insertion to see if it can fit? 19:38:10 we will need to overlay the notion of direction btwn zones 19:38:25 s/test case/use case/ 19:38:28 beyounn: sure 19:38:38 SridarK: you are going to do that? 19:38:48 SumitNaiksatam: yes 19:39:10 SumitNaiksatam: beyounn garyduan: perhaps we can have some offline discussions too 19:39:19 SridarK: sure 19:39:21 Sridark:sure 19:39:41 SumitNaiksatam: how was the plan for F2F mgt? 19:39:43 #action SridarK to work on draft of zones proposal, focussing on use case 19:39:55 beyounn: sure, lets take that offline 19:40:00 perhaps beyounn: & I will run into each other if we are working out side ;-) 19:40:03 SumitNaiksatam:ok 19:40:23 SridarK: ah thats what you meant by offline :-) 19:40:24 Sridark: Let have a beer :-) 19:40:40 I have good wine in my home :-) 19:41:14 SumitNaiksatam: thanks - i think some offline brainstorming will help - some dependency on service insertion will also need to be clarified so we can model accordingly 19:41:27 SumitNaiksatam: beyounn; ;-) 19:41:41 #topic Service Objects 19:41:54 beyounn: we intend to target this for Juno? 19:42:18 SumitNaiksatam:Still, I will write spec 19:42:26 beyounn: ok great 19:42:57 #action beyounn to submit gerrit bp spec for Service Objects extension: https://blueprints.launchpad.net/neutron/+spec/fwaas-customized-service 19:43:29 #topic Juno priorities and Atlanta design summit session discussion 19:43:59 #info design summit session: http://junodesignsummit.sched.org/event/72f3dc6498fa2821fab5f941b9690da9 19:44:14 we have a share 40 minute slot with VPNaaS 19:44:26 *shared 19:44:32 so we will get 20 minutes 19:44:48 SumitNaiksatam: it will be good if we can drive some commonality with VPN on service insertion 19:45:27 Do we plan any other things in FWaaS 19:45:34 SridarK: we will discuss service insertion in the advanced services common requirements session 19:45:44 SumitNaiksatam: yes agreed 19:45:47 garyduan: everything is up for discussion at this stage 19:45:53 Like logging, app-id etc. 19:45:53 including vendor drivers 19:46:07 garyduan: do we have the resources to do that? 19:46:14 and address book 19:46:18 SumitNaiksatam: we will have a vendor BP 19:47:10 garyduan: since we were blocked in icehouse, i would like be more focussed in juno to push forward 19:47:29 *like to 19:47:31 SumitNaiksatam: agreed 19:47:51 we need to decide absolutely what we want to get through in Juno 19:47:55 please think accordingly 19:48:09 we will also be looking for reviewers attention 19:48:31 so its not just how fast we can churn patches, we also need reviewers to be able to review them 19:48:59 SumitNaiksatam: that's partly process issue 19:49:17 if we put too many things out there at the same time, it dilutes reviewers attention and nothing gets in 19:49:39 garyduan: i think process is changing, but its a bit of everything 19:50:03 garyduan: so we need to be pragmatic 19:50:16 SumitNaiksatam: I don't think we have time to do those things, but some discuss in F-to-F meeting might be helpful 19:50:26 garyduan: you yeah absolutely 19:50:38 garyduan: we need to have a long term road map for sure, i think we have had on 19:50:46 i am just asking now about Juno 19:51:05 what are our absolute priorities 19:51:31 i believe the ones we already have in flight (service insertion and STF) are the ones we have already identified 19:51:43 SumitNaiksatam: IMO, zones is important 19:51:54 we need to decide besides those what is critical 19:52:20 and beyounn's patch too 19:52:29 to make FWaaS complete 19:52:35 garyduan: yeah 19:53:00 not really complete, but cover the basis 19:53:13 so i would think that the realistic thing is here to first focus on the patches that we already have in flight 19:53:30 we need to file new blueprints for them, and that itself is going to take some more time to converge 19:53:50 besides i believe both SridarK and garyduan have the vendor drivers planned as well, right? 19:54:07 SumitNaiksatam: yes 19:54:27 SumitNaiksatam: yes, in our case, refactor 19:54:38 so thats going to be a handful between 3 or 4 people 19:55:07 and considering the limited reviewer attention we get 19:56:01 i would propose that we focus on these things which are in flight first, and once we the blueprints are re-approved, code patches are resubmitted, we can potentially think of any new features we can try to target for juno 19:56:59 we can definitely have discussions on features in longer term road map, but that would be proposed priority - first get our existing patches reviewed and merged 19:57:00 yes 19:57:28 SumitNaiksatam: sure and we can continue more offline discussions too 19:57:29 if we can get that far, that will be a huge step forward compared to icehouse :-) 19:57:36 SridarK: absolutely 19:58:12 ok lets, starting thinking in terms of the couple of topics that we might want to bring up in the summit discussion 19:58:21 we also need to create an etherpad 19:58:36 anyone want to do that? 19:58:41 or else i can do it 19:58:58 SumitNaiksatam: I can do it 19:59:03 SridarK: great 19:59:35 #action SridarK to create design summit etherpad 19:59:41 alrighty, anything more for now? 20:00:03 no for me 20:00:07 its been a long meeting, but i think we at least made progress on the STF discussion 20:00:15 we can figure out more next steps offline then 20:00:25 SridarK: yes 20:00:29 great, thanks SridarK garyduan beyounn for joining 20:00:35 bye all! 20:00:39 bye 20:00:45 Swami: as well 20:00:49 Thanks and bye all 20:00:53 #endmeeting