18:33:01 #startmeeting Networking FWaaS 18:33:03 Meeting started Wed Oct 29 18:33:01 2014 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:33:04 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:33:06 The meeting name has been set to 'networking_fwaas' 18:33:46 badveli: we can keep this meeting short since i imagine people are preparing for attending the summit 18:33:58 fine sumit 18:34:00 #topic bugs 18:34:37 i did not see any new ones 18:34:41 lo m8s 18:35:25 glebo: hi there 18:35:37 there was some discussion in the ML around this: #link https://bugs.launchpad.net/neutron/+bug/1386543 18:36:13 yes i was seeing it 18:36:19 this in a artifact of the underlying reference driver we use (i.e. iptables) 18:36:42 we use the same iptables lib as security groups 18:36:52 so this is not specifically a FWaaS issue per say 18:37:21 glebo: badveli: thoughts? 18:38:05 iptables should be repopulated 18:38:53 looks like we had not seen the issue, back 18:39:12 badveli: we do repopulate iptables rules 18:39:25 badveli: however i believe that does not affect existing connections 18:41:10 fine sumit, i am not sure how this is happening 18:41:25 badveli: i think that is expected, right? 18:41:54 once the rule exists, it should take into affect 18:43:38 the related bug file in SG is #link https://bugs.launchpad.net/neutron/+bug/1335375 18:44:19 may there is a first rule that is allowing 18:44:48 and this is the related bp: #link https://blueprints.launchpad.net/neutron/+spec/conntrack-in-security-group 18:46:03 the suggestion is to use conntrack for handling existing connections 18:47:03 sumit, you might be right 18:47:29 i need to check what is happening, should we try with adding connection track? 18:47:38 its an option 18:47:46 in the ip table ruke 18:47:49 badveli: yes 18:47:55 sorry rule 18:48:17 badveli: however i believe this has to be made part of the underlying iptables lib 18:48:28 badveli: but you can certainly experiment and see if it works 18:48:48 badveli: shoudl we assign the bug to you? 18:49:21 fine with me 18:49:42 as you remember in service groups we said idle time out 18:50:17 if we have the connection track it might be easier for us to implement in reference implementation 18:50:25 badveli: yes 18:50:36 issue summarized here: #link http://www.redhat.com/archives/rhl-list/2006-January/msg03171.html 18:51:32 depends on how we have configured our iptables rules, if we have “RELATED,ESTABLISHED” 18:51:41 which i believe we do 18:52:36 it might be harder for some protocols 18:52:57 badveli: have assigned the bug to you 18:53:23 please update the bug and provide a reference to the SG bug 18:54:46 badveli: i dont see any other critical or high priority bugs 18:54:46 fine sumit, looks like the connection track would be available for most of the protocols 18:55:07 badveli: do you see any other high priority bugs? 18:55:39 i was looking in the reverse order 18:55:47 so could not see this immediately 18:55:55 badveli: sure, we first need to triage any untriaged bugs 18:55:58 fyi, on https://blueprints.launchpad.net/neutron/+spec/conntrack-in-security-group the text is a bit too mangled for me to understand. Do others get it? 18:56:57 glebo: i think the high order bit is that they want to use the conntrack tools 18:57:11 * SumitNaiksatam realizes that he stating the obvious as he typed it ;-P 18:57:26 glebo, based on the protocols there may be different states 18:57:27 glebo: i dont think a spec has been created 18:57:48 ack 18:57:54 glebo: we will get more clarity when we see that 18:57:56 ftp for example initially uses control and data seperately 18:58:14 it would be hard to affect the existing connections with the rules 18:58:20 badveli: true, i think all that gets abstracted into the use of the conntrack tools 18:58:43 yes sumit 18:58:51 natarajk: SridharRamaswamy: noticed you guys joined! :-) 18:59:12 yes, hi 18:59:15 we are having a short meeting today though in anticipation of the f2f time in paris next week 18:59:22 sure 18:59:22 ok moving on 18:59:25 #topic docs 18:59:28 hello all 18:59:40 SridarK is not here today 19:00:03 #action SumitNaiksatam to follow up with SridarK on open documentation bugs 19:00:16 #topic Paris summit planning 19:00:41 so, we are all aware that we dont have a dedicated fwaas design summit session 19:01:14 i have voted for FwaaS lightning talk 19:01:22 natarajk: nice, thanks :-) 19:01:32 wouldn't we get some time in Adv services spin out ? 19:01:43 natarajk: yes sure, getting to that 19:01:51 natarajk: link for where we vote likewise? I'll do it now. So will badveli 19:02:12 https://www.surveymonkey.com/s/RLTPBY6 19:02:23 do we need to vote for the adv services spin out, or that's already set? 19:02:24 natarajk: ah nice, i did not see notice that 19:02:31 natarajk: ack. thx 19:02:32 thanks for the link 19:02:39 #link https://www.surveymonkey.com/s/RLTPBY6 19:03:21 Please vote for servicevm (tacker) also 19:03:52 natarajk: sure 19:04:07 * glebo voting now 19:04:17 * glebo but also paying attention 19:04:36 this one will help us too: 19:04:37 it always pushed down even if we want to see at 1 19:04:58 "Gaps in Neutron from the Operators point of view" 19:05:12 because the Ops can't run Neutron if they can't LB and FW and such 19:05:53 That's the very real state of things from our customers. Customers had been VERY excited and active on OS, and are now backing off because of the lack of stability, features, and fullness to run their cloud 19:06:13 glebo+100 19:06:16 glebo: but you want to make sure that talk has the same PoV as yours :-) 19:06:25 So that session should be be, in part, a promo session for our efforts, both here and in service insertion and GBP 19:06:27 glebo: this is a lightening talk not a discussion 19:06:52 SumitNaiksatam: That can be influenced, given customer relationship 19:06:55 ;-) 19:07:17 glebo: the proposer of that session has in the past expressed taht services’ related work is not the highest priority 19:08:32 i would not be surprised that particular session is only focussed on “stability” and in fact discouraging new features 19:08:44 but there are no abstracts posted 19:08:48 so this is just my guess 19:08:53 anyway, moving on 19:09:06 we will also get some roundtable time on Friday 19:09:13 SumitNaiksatam: yeah, 19:09:36 SumitNaiksatam: it's the age old "connect, then secure, then scale" 19:09:45 glebo: true 19:09:54 for that discussion lets all contribute to the etherpad: #link https://etherpad.openstack.org/p/neutron-fwaas 19:10:00 services aren't a hi pri until basic conn works 19:10:22 but as soon as basic conn works, security is super hi pri because people can't go production w/o sec 19:11:15 glebo: very well said, wish others appreciated that as well! 19:12:08 we also need to participate/lead in the adv services’ spin out discussion: #link http://kilodesignsummit.sched.org/event/8a0b7c1d64883c08286e4446e163f1a6#.VFE774t4r4z 19:14:12 so we need to meet and plan for that 19:14:32 SumitNaiksatam: +1 to everyone participating in adv serv discussion 19:14:44 +1 19:14:49 how about we meet sometime on tuesday afternoon/evening to start discussion on these things? 19:15:11 can we have a pre-meeting to that this week, maybe Thur or Fri? 19:15:23 via web conf 19:15:30 glebo: its tight, but i am up for it 19:15:49 glebo: so you want to do this with the fwaas folks? 19:16:06 I was thinking adv services folks, 19:16:07 i can attend next tuesday evening 19:16:21 was trying to begin the planning here, in FWaaS 19:16:28 glebo: sure 19:16:31 then role it out to the others 19:16:37 * glebo checking calenar 19:16:38 natarajk: great 19:17:24 glebo: natarajk badveli: when are you folks reaching paris? 19:17:37 how about either 10 am PDT Thur (tomorrow) , ie right before GBP, or 19:17:45 2pm PDT Thur? 19:17:50 either of those work for others? 19:18:04 I travelling tomorrow and reaching Paris on Friday 19:18:04 well, about that... 19:18:20 badveli and I not able to make it in person. 19:18:55 I've got immovable personal commitment (hosting mother's 70 bday party, big event) 19:19:03 and badveli has code deadlines 19:19:20 But gary duan, and Yi Sun from vArmour will be there in person 19:19:28 gary arrives there later tonight 19:19:35 not sure about Yi Sun 19:19:35 glebo: that is an absolute bummer! 19:19:47 SumitNaiksatam: hold on, 19:19:53 glebo: shoot 19:19:55 SumitNaiksatam: don't cry me a beer just yet 19:20:06 glebo: i was heavily looking forward to your participation 19:20:11 glebo: i already did! 19:20:26 SumitNaiksatam: we are all staying very tight on this stuff, and have met a few times this week to stay sync'd up, get priorities and place, and such 19:20:27 glebo: any chance you can make it later in the week? 19:20:42 SumitNaiksatam: and i will b participating remotely 19:20:51 glebo: its not the same 19:20:54 glebo: anyway 19:21:11 * glebo would like to talk about remote participation tactics after this scheduling thing 19:21:19 glebo: okay 19:21:32 glebo: so lets check with folks on what time works best 10 or 2 tomorrow 19:21:35 so, adv services planning mtg tomorrow: which works? 19:21:38 natarajk: wont be able to make it 19:21:58 glebo: can you send an email to the team, if not, i can 19:25:12 alright we have 5 mins 19:25:24 so conf call tomorrow to decide the paris summit logistics 19:25:30 SumitNaiksatam: well, can us there decide on a time, then I'll propose that? 10 or 2? 19:25:32 anything else folks to discuss here? 19:25:46 glebo: just sent an email on that 19:25:48 s/us there/us here 19:25:58 SumitNaiksatam: wow, u fast man 19:27:00 glebo: badveli: if nothing else, lets wrap up for today 19:27:23 #topic blueprints 19:27:43 badveli: have you submitted the service groups spec? 19:29:03 badveli: glebo: still there? 19:29:17 y 19:29:44 * glebo was beating badveli over head with wet noodle about service group spec not yet submitted 19:30:09 he'll have it in today, tomorrow latest 19:30:45 glebo: ok great! 19:30:52 glebo: dont be too harsh :-P 19:31:00 glebo: we love badveli ! 19:31:18 on that love festy note, lets wrap for today 19:31:23 thanks all for joining 19:31:27 #endmeeting