18:39:42 <SumitNaiksatam> #startmeeting Networking FWaaS
18:39:43 <openstack> Meeting started Wed Aug 20 18:39:42 2014 UTC and is due to finish in 60 minutes.  The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:39:44 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:39:46 <openstack> The meeting name has been set to 'networking_fwaas'
18:40:03 <SumitNaiksatam> #chairs SridarK badveli garyduan
18:40:10 <badveli> hello all
18:40:14 <SridarK> hi all
18:41:36 <SumitNaiksatam> lets get started
18:41:48 <SumitNaiksatam> #topic Action item review
18:42:16 <SumitNaiksatam> SridarK: badveli do we have the DVR wiki page?
18:42:29 <badveli> yes we have some info on the wiki
18:42:29 <SridarK> yes it is up
18:42:36 <SridarK> #link https://wiki.openstack.org/wiki/Quantum/FWaaS/FWaaS-DVR
18:42:56 <SridarK> badveli: & i put in some basic info and pointers
18:43:16 <SridarK> SumitNaiksatam: i think we can tweak this more - will do so
18:43:51 <SumitNaiksatam> SridarK: swee!
18:44:02 <SumitNaiksatam> *sweet
18:44:12 <SridarK> thanks to badveli as well
18:44:24 <badveli> thanks
18:45:14 <SumitNaiksatam> badveli: yes indeed, thanks!
18:45:31 <badveli> thanks Sumit, Sridar
18:45:43 <SumitNaiksatam> i believe we didnt have any more action items
18:45:56 <SumitNaiksatam> last week that is (apart from the real work we had to do :-))
18:46:02 <SumitNaiksatam> #topic Bugs
18:46:42 <SumitNaiksatam> i tried to bug scrub a bit last week as well
18:47:48 <SumitNaiksatam> so the highest priority pending bug is a medium one:
18:47:56 <SridarK> SumitNaiksatam: yes sorry - i have been swamped and could not really take a look at any new bugs
18:48:02 <SumitNaiksatam> #link https://bugs.launchpad.net/neutron/+bug/1334981
18:48:07 <SumitNaiksatam> SridarK: no worries
18:48:14 <SumitNaiksatam> other bugs have patches in reviews
18:48:51 <SumitNaiksatam> i checked with koteswara and i have not gotten a response yet
18:50:20 <SumitNaiksatam> any other bugs that we shoud discuss here?
18:50:32 <SridarK> SumitNaiksatam: nothing that i am aware of
18:51:15 <badveli> Sumit: we will wait for the armando fix regarding the router creation and the firewall
18:51:21 <SumitNaiksatam> SridarK: yeah
18:51:46 <SumitNaiksatam> badveli: yes, hopefully we can make progress with that issue with that patch
18:52:40 <SridarK> SumitNaiksatam: have exchanged some comments with armando on that - i think that last review did not yield success
18:52:46 <badveli> Yes Sumit, hopefully the gate failures will not be seen lot of times
18:52:58 <SumitNaiksatam> SridarK: ah ok, the last i looked i had not see the vote
18:53:12 <SumitNaiksatam> SridarK: the last patch set you mean?
18:53:18 <SridarK> yes
18:53:40 <SridarK> will experiment once i have my changes for dvr also
18:53:48 <badveli> Sridar: I also went through but not spend too much time
18:54:30 <SumitNaiksatam> ok so lets to the DVR discussion
18:54:32 <SumitNaiksatam> #topic FWaaS support for DVR
18:54:57 <SumitNaiksatam> SridarK: thanks for initiating the WebEx call with the DVR team yesterday
18:55:15 <SridarK> SumitNaiksatam: np at all
18:55:15 <SumitNaiksatam> so if i have to summarize:
18:56:23 <SumitNaiksatam> 1. the DVR code will raise an exception if a migration is attempted from legacy to DVR or vice-versa if that tenant has a firewall
18:57:23 <SumitNaiksatam> 2. the FWaaS support will conditionally process the DVR and the legacy cases
18:57:41 <SumitNaiksatam> meaning we will support both scenarios
18:58:10 <SumitNaiksatam> though, the approved spec does not commit to doing this in a concurrent manner
18:58:57 <SridarK> SumitNaiksatam: we just rely on the basic support for DVR we are adding for (2)
18:59:04 <badveli> I think with patch and the exception
18:59:13 <SumitNaiksatam> so, the current PoA is to either support FWaaS for all routers in DVR or legacy mode, but not in mixed-mode
18:59:41 <SumitNaiksatam> everybody agree with the above, or are there any other nuances?
18:59:46 <badveli> Sumit: Looks like with our patch we should be able to support both
19:00:07 <badveli> mixed mode should be automatically taken care
19:00:13 <SumitNaiksatam> badveli: okay, but we have not mentioned that in the spec
19:00:25 <SumitNaiksatam> badveli: so we will claim that it works only after we have tested it
19:00:37 <SumitNaiksatam> more of a question for the team
19:00:39 <badveli> Yes we have written down some thing like that on wiki
19:00:54 <SridarK> SumitNaiksatam: on the PoA - from the discussion not sure that we can avoid the mixed mode from yesterday's discussion
19:00:55 <badveli> Sridar and myself will test it out and see
19:01:26 <SridarK> SumitNaiksatam: the mixed mode - we need to consider what we were calling 2a & 2b
19:01:51 <SridarK> When FWaaS comes after routers - we can check for this in the agent
19:02:01 <SumitNaiksatam> SridarK: yes, 2a and 2b
19:02:04 <SridarK> but if a router comes after fwaas
19:02:15 <SumitNaiksatam> SridarK: however, i dont think we can just support one and not the other
19:02:28 <SridarK> then the check has to be done on the dvr side
19:02:43 <SumitNaiksatam> hence my suggestion is that we dont claim just yet that we support the mixed-mode
19:02:58 <SridarK> SumitNaiksatam: ok we will not claim this
19:03:10 <SridarK> SumitNaiksatam:  but we cannot prevent it
19:03:22 <SumitNaiksatam> if the theory that the mixed-mode will be supported automatically on account of the FWaaS support for DVR is true, we are in good shape anyway
19:03:23 <badveli> Sridark: I am trying to understand with our patch we should not be in a worry state
19:03:39 <badveli> sumit: that is what i am saying
19:03:47 <SridarK> badveli: hmm
19:03:51 <SumitNaiksatam> badveli: i have not seen enough of the patch to make a confident assertion
19:03:53 <badveli> it should be automatically taken care
19:04:05 <SridarK> the patch can handle both cases
19:04:33 <SridarK> but will not check for state of other routers
19:04:52 <SumitNaiksatam> SridarK: badveli: i dont have a problem if you want to claim that we support both 2a and 2b, but then you are on the hook :-)
19:05:21 <SridarK> so basically a router is added - we will check the mode of that router and add the rules in appropriate namespace
19:05:30 <SumitNaiksatam> my thinking was that since this was not explicitly stated or requested in the blueprint spec, it was not a requirement
19:05:42 <badveli> Sridar: Right Sumit: We will check that and figure out
19:05:43 <SridarK> but we are not checking if this router also conforms with all the other routers in the tenant
19:05:52 <SridarK> we can do that
19:05:54 <badveli> if what ever understanding with DVR team
19:06:16 <badveli> is the way it is
19:06:27 <SridarK> but then DVR has to do that too which i think they did not want to do
19:07:06 <SridarK> SumitNaiksatam: i think i am trying to say - we could land up in a mixed mode
19:07:26 <SridarK> SumitNaiksatam: if we don't want to - we have to do something extra to prevent it
19:07:40 <badveli> Sridar: Atleast looks to me the DVR code should give proper triggers
19:07:51 <SridarK> both on our side and as well as DVR
19:08:34 <badveli> Sridark: should we experiment with the patch
19:08:42 <SumitNaiksatam> SridarK: talking to swami yesterday my understanding was that we do that “something” only if we have to
19:08:44 <badveli> and see if we it is not sufficient?
19:09:00 <SumitNaiksatam> SridarK: and that is based on our experience from implementing the base support
19:09:10 <SumitNaiksatam> badveli: yes, i think i am saying the same thing you are saying
19:09:18 <badveli> Yes Sumit
19:09:32 <SridarK> SumitNaiksatam: yes correct -
19:09:40 <badveli> We should do something only if it is needed
19:09:52 <badveli> this we will have an idea once we have the patch and test it out
19:10:07 <SridarK> SumitNaiksatam: i was just pointing out that we will not naturally avoid mixed mode
19:10:18 <SumitNaiksatam> SridarK: ah yes
19:10:26 <badveli> Correct Sridar and Sumit
19:10:29 <SumitNaiksatam> so lets discuss the mitigation plan
19:10:56 <SumitNaiksatam> in case after implemeting the current patch, and experimenting the mixed-mode we realize that there is a hitch
19:11:07 <SumitNaiksatam> and something that we cannot achieve in the J time frame
19:11:12 <SumitNaiksatam> what is the mitigation?
19:11:21 <SumitNaiksatam> SridarK: i believe that is what you want to bring up?
19:11:34 <SridarK> SumitNaiksatam: yes hopefully no issues
19:11:56 <SumitNaiksatam> SridarK: no, but if there are, what is our mitigation?
19:12:01 <SridarK> SumitNaiksatam: but in case there is an issue on mixed mode - we can prevent it - for 2b
19:12:21 <SridarK> SumitNaiksatam: but for full solution we need DVR to prevent it also
19:12:29 <SumitNaiksatam> SridarK: yes prevent it from FwaaS to address 2b (which is that the firewall is created after the mixed mode routers)
19:12:39 <SumitNaiksatam> SridarK: yes, which is 2a
19:12:43 <SridarK> SumitNaiksatam: yes exactly
19:12:57 <SridarK> SumitNaiksatam: when routers come fwaas
19:13:06 <SridarK> then dvr will need to prevent it
19:13:26 <SridarK> which Swami said may not be something easy to do for them
19:14:14 <SridarK> SumitNaiksatam: i am not sure how common the mixed mode scenario is
19:14:26 <SumitNaiksatam> SridarK: lets do this
19:14:52 <SumitNaiksatam> SridarK: lets send an email to swami and team about 2a stating what we propose as the mitigation plan
19:15:11 <SridarK> SumitNaiksatam: sounds good
19:15:17 <SumitNaiksatam> SridarK: and again, its a mitigation plan, not the main plan
19:15:35 <SridarK> SumitNaiksatam: yes worst case scenario
19:15:39 <SumitNaiksatam> SridarK: yes
19:15:49 <SridarK> SumitNaiksatam: will do so
19:16:20 <SridarK> SumitNaiksatam: meanwhile i am revising the changes and we will get more testing
19:16:20 <SumitNaiksatam> #action SridarK badveli to send email to DVR team/Swami with a proposal on the mitigation plan for scenarion 2a (firewall is present, and then mixed-mode router creation is attempted)
19:16:22 <SridarK> done
19:16:28 <SumitNaiksatam> SridarK: nice
19:16:40 <SumitNaiksatam> so going back to 1
19:17:01 <SumitNaiksatam> do we need to support the get_firewalls()?
19:17:06 <SridarK> SumitNaiksatam: yes we have something like get_firewall_count()
19:17:38 <SridarK> SumitNaiksatam: Swami pinged me yesterday - i pointed him to plugin methods to see if that works
19:17:46 <SumitNaiksatam> SridarK: ah cool
19:17:55 <SumitNaiksatam> SridarK: you are right, the count would work just fine
19:17:57 <SridarK> SumitNaiksatam: u have added things earlier which should work
19:18:05 <badveli> Sorry i missed
19:18:10 <badveli> network was down
19:18:20 <SridarK> SumitNaiksatam: worst case we can tweak one of these
19:18:26 <SumitNaiksatam> badveli: no worries
19:18:38 <SridarK> badveli: no worries - will update u when we talk in the eve
19:18:39 <SumitNaiksatam> badveli: SridarK mentioned that he reached out Swami yesterday
19:19:01 <SridarK> SumitNaiksatam: rather Swami pinged me
19:19:10 <SumitNaiksatam> badveli: my question was whether we need anything additional for supporting migration scenario 1
19:19:29 <SumitNaiksatam> badveli: SridarK’s suggestion is to use get_firewall_count()
19:19:41 <SumitNaiksatam> SridarK: badveli can we document this on the wiki as well?
19:19:50 <SridarK> SumitNaiksatam: sounds good
19:20:03 <SumitNaiksatam> and perhaps point the DVR team to point to this
19:20:23 <SridarK> SumitNaiksatam: ok
19:20:59 <SumitNaiksatam> SridarK: thanks
19:21:10 <SridarK> SumitNaiksatam: np at all
19:21:10 <badveli> Plugin uses this to know about the firewall, right and raise exception
19:21:39 <SridarK> badveli: from the router plugin they will query the fwaas plugin
19:21:50 <badveli> Yes
19:22:04 <SumitNaiksatam> #action SridarK to add scenarion 1 FWaaS support details to DVR wiki, the suggestion is for the DVR code to call get_firewall_count() function
19:22:44 <SumitNaiksatam> SridarK: also, i think we should request the DVR team to cross reference our wiki page from their wiki page (if they have one)
19:23:07 <SridarK> SumitNaiksatam: yes - they do have one - we can request Swami for that
19:23:08 <SumitNaiksatam> that will hopefully ensure propose visibility
19:23:43 <SumitNaiksatam> #action SridarK to request Swami to cross link FWaaS DVR support wiki page from the DVR wiki page
19:24:06 <SumitNaiksatam> ok anything more to discuss on the DVR support?
19:24:47 <SridarK> SumitNaiksatam: nothing more - badveli and i will continue on this
19:25:06 <SumitNaiksatam> SridarK badveli thanks for the update on this
19:25:15 <SumitNaiksatam> but do we have a working DVR setup now?
19:25:22 <badveli> nothing major, i hope everything works as expected
19:25:42 <badveli> We have a single node setup
19:26:01 <SumitNaiksatam> badveli: ah thats good
19:26:14 <SumitNaiksatam> SridarK: we had plans to move to the two node setup as well?
19:26:26 <SridarK> SumitNaiksatam: yes not been able to do this
19:26:26 <badveli> sorry my other server was taken by some one elase
19:26:38 <badveli> else i have only one server as of now
19:27:11 <SridarK> SumitNaiksatam: hoping after this Aug 21 deadline - can may be do that trip to Sacremento to get a handle on the multinode
19:27:43 <SumitNaiksatam> SridarK: okay, perhaps good to socialize this plan with Swami as well
19:28:03 <SumitNaiksatam> i have a hard stop at 12.30 PDT
19:28:03 <SridarK> SumitNaiksatam: but i too need to get another server and try this out
19:28:17 <SumitNaiksatam> SridarK: yes that will be really good (i think we need that)
19:28:23 <SumitNaiksatam> #topic Service Objects
19:28:32 <badveli> yes i have been waiting
19:28:36 <SumitNaiksatam> badveli: i know you are waiting on reviews
19:28:44 <badveli> i have some minor comments
19:28:51 <badveli> that will be addressed
19:28:54 <SumitNaiksatam> badveli: but the DVR work has taken higher priority
19:29:05 <SumitNaiksatam> badveli: great, i will try to get to it at the earliest
19:29:06 <SridarK> SumitNaiksatam: i too am lax on this - i have promised badveli something real soon
19:29:37 <SumitNaiksatam> badveli: that said, the lbaas stuff may or may not be in the main tree in Juno
19:29:45 <SumitNaiksatam> badveli: same thing with VPN
19:29:47 <badveli> thanks sumit
19:29:55 <SumitNaiksatam> badveli: so we have to see where the discussion goes
19:30:01 <SumitNaiksatam> for now we stay on the message
19:30:06 <badveli> sumit you mean fwaas?
19:30:35 <SumitNaiksatam> badveli: yes, for all of lbaas, vpnaas and fwaas
19:30:51 <SumitNaiksatam> ok lets call it there for today
19:30:58 <badveli> but we have the spec approved in juno
19:30:58 <SumitNaiksatam> thanks all for joining
19:31:02 <SridarK> sounds good
19:31:11 <SumitNaiksatam> badveli: yes, hence we keep moving forward, unless we are told otherwise
19:31:22 <SumitNaiksatam> badveli: the specs are approved for lbaas and vpnaas as well
19:31:28 <SumitNaiksatam> badveli: also for GBP :-)
19:31:44 <SumitNaiksatam> its kind of unsettling and frustrating
19:31:50 <badveli> thanks Sumit, atleast  i am sure we get some reviews by today or tomorrow
19:32:12 <badveli> if i can reach our team and some core people
19:32:14 <SumitNaiksatam> badveli: yes, we have time until sept 5th for review if the direction is to keep this in the main tree
19:32:20 <SumitNaiksatam> so that is not an issue
19:32:26 <badveli> fine sumit
19:32:37 <badveli> i was worried if we cannot get the review in time
19:32:50 <SumitNaiksatam> alirghty then
19:32:52 <SumitNaiksatam> bye all
19:32:54 <SumitNaiksatam> #endmeeting