#openstack-meeting-3 log

18:33:46 <SumitNaiksatam> #startmeeting Networking FWaaS
18:33:47 <vishwana_> hi all
18:33:48 <openstack> Meeting started Wed Nov 26 18:33:46 2014 UTC and is due to finish in 60 minutes.  The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:33:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:33:50 <bobmel> SumitNaiksatam: :-)
18:33:51 <openstack> The meeting name has been set to 'networking_fwaas'
18:33:53 <SridarK_> vishwana_: hi
18:34:06 <vishwana_> SridarK_: Hi
18:34:18 <SumitNaiksatam> #announce SPD: Monday 12-8-2014 SAD: Monday 12-15-2014
18:34:22 <SumitNaiksatam> just retierating
18:34:28 <SumitNaiksatam> *reiterating
18:35:07 <SridarK_> SumitNaiksatam: yes the pressure :-(
18:35:16 <SumitNaiksatam> any other announcements anyone wants to share?
18:36:10 <SumitNaiksatam> ok moving on
18:36:13 <SumitNaiksatam> #topic Bugs
18:36:16 <Swami> hi
18:36:35 <SridarK_> Swami: hi
18:36:40 <badveli> hello swami
18:36:48 <SridarK_> #link https://bugs.launchpad.net/openstack-manuals/+bug/1346986
18:36:52 <SumitNaiksatam> thankfully seems like nothing critical/high has showed up
18:36:54 <SridarK_> oops sorry
18:37:03 <SumitNaiksatam> Swami: hi, thanks for joining
18:37:08 <SridarK_> SumitNaiksatam: yes nothing new
18:37:17 <SumitNaiksatam> Swami: we will get to your email on E-W in just a bit
18:37:24 <SumitNaiksatam> SridarK_: ok cool
18:37:45 <SumitNaiksatam> we are still delinquent on: https://review.openstack.org/#/c/104132/
18:37:58 <SumitNaiksatam> lets review this at the earliest
18:38:36 <Swami> SumitNaiksatam: no worries
18:38:41 <SridarK_> SumitNaiksatam: yes the client one will do that
18:38:54 <SumitNaiksatam> SridarK_: thanks
18:39:05 <SumitNaiksatam> badveli: anything else on your radar on the bugs front?
18:39:25 <badveli> Nothing as i could see
18:40:02 <SumitNaiksatam> badveli: okay, and you are still tracking the discussion around: https://bugs.launchpad.net/neutron/+bug/1386543 and https://bugs.launchpad.net/neutron/+bug/1335375, right?
18:40:09 <badveli> yes
18:40:40 <SumitNaiksatam> badveli: okay
18:40:44 <SumitNaiksatam> #topic Docs
18:40:53 <SumitNaiksatam> SridarK_: go ahead
18:41:00 <SridarK_> #link https://bugs.launchpad.net/openstack-manuals/+bug/1346986
18:41:22 <SumitNaiksatam> i noticed your post, thanks!
18:41:34 <SumitNaiksatam> just in the nick of time ;-P
18:41:47 <SridarK_> i think there is one section there - can one post a review for just our section ?
18:42:08 <SridarK_> SumitNaiksatam: :-) life seems to be "nick of time" all the time :-)
18:42:18 <SumitNaiksatam> SridarK_: :-)
18:42:42 <SumitNaiksatam> SridarK_: i think that should be good, perhaps we can send an email to ann gentle to check with her as to what is the process?
18:42:51 <SridarK_> SumitNaiksatam: ok will do
18:42:59 <SumitNaiksatam> SridarK_: great, thanks
18:43:05 <SridarK_> the other one:
18:43:08 <SridarK_> #link https://bugs.launchpad.net/openstack-manuals/+bug/1373674
18:43:17 <SridarK_> is fixed but someone already
18:43:40 <SumitNaiksatam> sweet!
18:44:14 <SumitNaiksatam> documentation seems to be okay on that
18:44:28 <SumitNaiksatam> it would be good for us to be in the loop on these things
18:44:33 <SridarK_> SumitNaiksatam: yes it was a quick clarification
18:44:50 <SridarK_> SumitNaiksatam: yes - it seems the only way is to poll for these
18:45:03 <SumitNaiksatam> SridarK_: yeah :-(
18:45:06 <SumitNaiksatam> Swami: so on the DVR related documentation, your suggestion is that we wait and watch?
18:46:10 <Swami> hi
18:46:45 <Swami> Yes, we will wait till they have the networking guide and we can provide the feedback there to add the services that are supported and how it is supported.
18:46:56 <SumitNaiksatam> Swami: ok cool
18:47:02 <Swami> I am working with Edgar, Matt Kassawara and Elke Vorghies
18:47:09 <SumitNaiksatam> Swami: is there any meeting that we should be attending?
18:47:25 <SumitNaiksatam> Swami: i recall references during the last neutron meeting
18:47:33 <Swami> There is a meeting on Friday's from 9.00a.m to 10.a.m.
18:47:50 <Swami> At this time, I will take care, and if needed I will let you know.
18:47:51 <SumitNaiksatam> Swami: woudl appreciate if you get SridarK_ and me plugged into that meeting
18:48:04 <Swami> Ok, it is a google hangout meeting
18:48:09 <SumitNaiksatam> Swami: okay thanks
18:48:14 <Swami> I will send you the link.
18:48:19 <SridarK_> Swami: thanks
18:48:39 <SumitNaiksatam> Swami: great! but hangout is wierd for this kind of a thing!
18:48:54 <SumitNaiksatam> Swami: thanks Swami for that input
18:49:01 <SumitNaiksatam> anything else on docs?
18:49:06 <Swami> that's what they do right now
18:49:20 <SumitNaiksatam> Swami: okay
18:49:28 <SumitNaiksatam> moving on
18:50:45 <SumitNaiksatam> #topic FWaaS team mission and charter
18:51:02 <SumitNaiksatam> https://wiki.openstack.org/wiki/NeutronSubteamCharters#FWaaS_Team
18:51:26 <SumitNaiksatam> we discussed this over emails
18:51:34 <SumitNaiksatam> bringing it up here in case anyone missed it
18:51:55 <SumitNaiksatam> currently this does not mention the DVR E-W
18:52:07 <Swami> I have mentioned in the DVR charter.
18:52:08 <SumitNaiksatam> we also need to append to the specs list once we post those
18:52:28 <SumitNaiksatam> Swami: great, nice to have cross team reinforcement
18:53:02 <SumitNaiksatam> anything more to discuss here?
18:53:26 <SumitNaiksatam> we will touch on the topic of services’ split in a bit
18:53:43 <SumitNaiksatam> ok next topic
18:53:53 <SumitNaiksatam> #topic Kilo blueprints
18:54:01 <SumitNaiksatam> related to our charter
18:54:26 <SumitNaiksatam> Service groups and objects: #link https://review.openstack.org/#/c/131596
18:54:38 <SumitNaiksatam> badveli: thanks for the updates
18:54:47 <badveli> thanks sumit
18:54:50 <SumitNaiksatam> badveli: sorry i havent had a chance to get back to it
18:54:56 <SumitNaiksatam> is glebo here?
18:54:57 <badveli> no problem, thanks
18:55:14 <badveli> looks like not here
18:55:24 <badveli> thanks giving
18:55:31 <badveli> week
18:55:44 <SumitNaiksatam> badveli: i understand, i did expect a light attendance today
18:56:12 <SumitNaiksatam> i wanted to check if he got any response to the emails he had sent to mestery or markmcclain regarding the service groups
18:56:16 <badveli> do we need any inputs from him?
18:56:24 <SridarK_> badveli: i will go thru once more and put a +1
18:56:35 <SumitNaiksatam> i did not see a response, but just checking
18:56:42 <badveli> thanks sridark, on that front, did not receive anything
18:56:51 <SumitNaiksatam> SridarK_: thanks, i need to read through again as well
18:57:32 <SumitNaiksatam> SridarK_: any update on the router/port based insertion?
18:57:56 <SridarK_> SumitNaiksatam: will put this together real soon
18:58:09 <SumitNaiksatam> SridarK_: okay thanks
18:58:15 <SridarK_> on router_id - we keep this optional
18:58:33 <SumitNaiksatam> SridarK_: did we get any response from arvind, brian or glebo on the use cases?
18:58:51 <SridarK_> SumitNaiksatam: no
18:59:00 <SridarK_> SumitNaiksatam: let me send a reminder
18:59:33 <SumitNaiksatam> SridarK_: okay
18:59:40 <SridarK_> SumitNaiksatam: based on what we have in our various discussions - i think ports seems more palatable
19:00:01 <SumitNaiksatam> SridarK_: okay, what does the rest of the team think about this?
19:00:17 <SridarK_> SumitNaiksatam: the other thing is that this will probab need to go as an attribute of the firewall extension
19:00:30 <SumitNaiksatam> SridarK_: okay
19:00:36 <badveli> sridark, does it seem odd to ask the user to give the port
19:00:37 <SridarK_> SumitNaiksatam: given that extensions are being clamped down
19:00:59 <badveli> may be we are asking more from user
19:01:09 <SridarK_> badveli: the thought was that the port is a representation of the subnet "behind" it
19:01:26 <SridarK_> badveli: and we are add a fw for that subnet
19:01:39 <SridarK_> badveli: did u have something else in mind ?
19:02:47 <badveli> currently i do not have much, i need to think more
19:03:07 <SridarK_> badveli: ok - do send an email
19:03:20 <badveli> i am not sure if the customers really would like anything like this
19:03:46 <SridarK_> badveli: we need to go away from the all routers all ports model
19:03:48 <badveli> thanks sridark, will let you know
19:04:01 <badveli> yes that would be ideal
19:04:13 <SridarK_> badveli: based on the feedback from the summit
19:04:46 <badveli> sridark, my only thaught was when this happens would be a undo the one that we had done
19:04:55 <SridarK_> badveli: if we want to fw a particular subnet for ex engineering
19:05:07 <badveli> from the configuration
19:05:08 <SridarK_> badveli: router port provides a good abstraction
19:05:08 <badveli> 
19:06:00 <SridarK_> badveli: sorry don't understand
19:06:45 <SumitNaiksatam> SridarK_: we had discussed one option of having router_id and router_ports, both as optional attributes
19:06:46 <badveli> sridark ideally we do not want to tie up to ports / routers
19:07:15 <badveli> sumit, so this will be optional parameters
19:07:50 <SridarK_> SumitNaiksatam: yes by specifying the router-id and the ports associated
19:07:59 <SridarK_> SumitNaiksatam: perhaps a subset or all
19:08:04 <SumitNaiksatam> badveli: its an option to have these as optional parameters :-)
19:08:14 <SumitNaiksatam> SridarK_: okay
19:08:22 <SumitNaiksatam> okay so lets wait for SridarK_’s spec
19:08:36 <SridarK_> SumitNaiksatam: :-) yes all are optional
19:08:47 <badveli> good one
19:09:17 <SridarK_> SumitNaiksatam: but what is ur thought on attribute to firewall extension
19:09:30 <SridarK_> SumitNaiksatam: i guess that would be okay ?
19:10:07 <SumitNaiksatam> SridarK_: you mean an extension to the firewall resource, or add an attribute to the current firewall resource?
19:10:21 <SridarK_> SumitNaiksatam: attribute to the firewall resource
19:10:42 <SumitNaiksatam> SridarK_: perhaps that might be the more palatable option
19:10:58 <SridarK_> SumitNaiksatam: the extension to firewall resource may have some acceptance issues
19:11:14 <SumitNaiksatam> SridarK_: the attribute extension mechanism is more flexible in that it does not pollute the base model, but it has its downside
19:11:20 <SumitNaiksatam> SridarK_: yeah
19:11:34 <SridarK_> SumitNaiksatam: perhaps we can put that as an Alternative
19:11:44 <SumitNaiksatam> SridarK_: perfect
19:12:06 <SumitNaiksatam> i would also like to hear the opinion of the rest of the team on this
19:12:08 <SridarK_> SumitNaiksatam: ok thx
19:12:24 <SumitNaiksatam> so i think looking at the spec people can provide an informed opinion
19:12:27 <SumitNaiksatam> ok moving on
19:12:55 <SumitNaiksatam> we should also be discussing pcm’s patch of the L3 agent refactor
19:13:10 <SumitNaiksatam> #link https://review.openstack.org/#/c/135392/
19:13:57 <SumitNaiksatam> i believe pcm is on vacation, we can probably have this discussion in this meeting if he is around in the next week
19:14:26 <SridarK_> SumitNaiksatam: yes pcm is out
19:14:53 <SumitNaiksatam> SridarK_: ok thanks
19:14:54 <SumitNaiksatam> #topic FWaaS for E-W traffic scenario with DVR
19:15:19 <SumitNaiksatam> Swami just sent some detailed ideas, which i have shared with the rest of the team
19:15:30 <Swami> #link https://docs.google.com/document/d/11Gp62Yfyi1WH6yM6E_308OB4CC9A6xhxKZJ8B5jOwLc/edit
19:15:33 <SumitNaiksatam> perhaps we can take a quick min to peruse the diagrams
19:15:39 <SumitNaiksatam> Swami: thanks!
19:16:04 <Swami> Just to give a brief summary of the two options that we discussed in Paris.
19:16:38 <badveli> thanks swami, will take a look
19:16:56 <Swami> Option 1: is to have a bump in the wire scenario. To add a bridge in between the br-int and br-tun and track all the traffic incoming and outgoing. Apply the rules there.
19:17:27 <Swami> Option 2: Instead of applying firewall rules in multiple places for East-West and north south, let us apply it in the "qr" namespace.
19:18:21 <Swami> But when the return traffic hits the br-int, if possible we can force the traffic to get into the router, like a loopback interface and apply the rules there. I am not sure if it is viable and has any issues. But it has to be investigated from the flow rules and from the routers perspective.
19:18:53 <SumitNaiksatam> Swami: does applying in the “qr” namespace introduce a single choke point?
19:19:15 <SumitNaiksatam> Swami: btw, thanks for the summary (was about to ask)!
19:19:53 <Swami> It will not be a single choke point, because you are also applying all the compute nodes. But it will be single choke point for that particular host.
19:20:42 <SumitNaiksatam> Swami: So the point is that the “qr” namespace itself is distributed since it manifests on all the hosts?
19:20:58 <Swami> Yes.
19:21:08 <badveli> swami: adding a bridge
19:21:27 <Swami> badveli: yes
19:21:45 <badveli> add forcing the traffic towards it
19:21:46 <SridarK_> Swami: we will do the "return traffic thru qr" if we have fw configured ?
19:22:03 <badveli> how do we do that?
19:22:03 <badveli> 
19:22:06 <Swami> adding a bridge will be similar to the security groups where you apply all the rules in a bridge and then attach it with the veth pairs.
19:22:27 <SumitNaiksatam> Swami: in that case, i believe the advantage with the second method is that from a fwaas perspective we only have to deal with the “qr” namespace, always (regardless of E-W or N-S traffic)?
19:22:41 <badveli> thanks swami
19:22:56 <Swami> SridarK_: Yes, if firewall is configured for the tenant we force the traffic to send it back to the "qr" and so all your rules will be applied in a single place.
19:23:41 <SumitNaiksatam> Swami: okay i think you answered my question as well with that response
19:23:42 <SridarK_> Swami: ok that way we will take  a sub-optimal path only then
19:24:08 <SridarK_> Swami: defn looks like a viable option but need to think some more
19:24:17 <SumitNaiksatam> good discussion
19:24:27 <Swami> Yes we don't need to decide today. But give it a thought.
19:24:44 <SumitNaiksatam> Swami: thanks for the timely interjection with this proposal :-)
19:24:46 <Swami> I have also asked "Vivek" to check on the flow rules and any impact for option 2.
19:25:08 <Swami> Whichever option is viable and riskless we can go on that direction.
19:25:19 <SumitNaiksatam> lets circle back on the email thread, and have a more definitive discussion in the next meeting
19:25:24 <SumitNaiksatam> Swami: thanks
19:25:33 <SumitNaiksatam> 5 mins left
19:25:36 <Swami> Sorry I was supposed to send you out this picture after the paris trip, but I was on Jet lag for a week.
19:25:43 <badveli> yes, thanks sumit
19:25:46 <SumitNaiksatam> Swami: np
19:25:49 <SridarK_> Swami: thanks
19:25:49 <SumitNaiksatam> #topic Vendor drivers
19:25:59 <SumitNaiksatam> vishwana_: you posted your spec, right?
19:26:02 <SumitNaiksatam> link?
19:26:27 <vishwana_> yes, I did, thanks to you and SridarK for initial review and comments
19:26:49 <SumitNaiksatam> vishwana_: np, just procedural nits
19:27:07 <vishwana_> https://review.openstack.org/#/c/136953/
19:27:19 <vishwana_> I am yet to address your review comments
19:27:28 <SumitNaiksatam> vishwana_: thanks for the link
19:27:39 <vishwana_> What is the Ipv6 impact requirement?
19:27:39 <SumitNaiksatam> any other vendor related bps posted or in the pipeline?
19:27:49 <SridarK_> SumitNaiksatam: #link https://review.openstack.org/#/c/129836/
19:27:56 <SumitNaiksatam> vishwana_: i am not completely sure on this
19:28:08 <SumitNaiksatam> vishwana_: however there was a thread in the -dev ML on this
19:28:19 <SumitNaiksatam> vishwana_: perhaps you can post your question there
19:28:22 <vishwana_> Any guidance on how to approach that would be valuable
19:28:32 <vishwana_> SumitNaiksatam: Thanks
19:28:36 <SumitNaiksatam> vishwana_: i believe in your case there should not be any IPv6 impact since this is vendor specific
19:28:49 <vishwana_> I see
19:28:53 <SumitNaiksatam> SridarK_: thanks, did not notice that one
19:29:14 <SumitNaiksatam> vishwana_: again, my comment was more procedural ;-)
19:29:16 <SridarK_> SumitNaiksatam: no worries - it has extension written all over it :-)
19:29:25 <SumitNaiksatam> SridarK_: :-)
19:29:30 <SumitNaiksatam> #topic Open Discussion
19:29:35 <vishwana_> SumitNaiksatam :understaood
19:29:35 <SumitNaiksatam> we have one minute
19:29:42 <SumitNaiksatam> one quick one - #link https://review.openstack.org/#/c/136835/
19:29:48 <SumitNaiksatam> services’ split ^^^
19:30:08 <SumitNaiksatam> this is shaping up in a different way from what we discussed in the paris summit
19:30:18 <SridarK_> SumitNaiksatam: +1 :-(
19:30:22 <SumitNaiksatam> at any rate i have volunteered to help out on the fwaas side of things
19:30:32 <SridarK_> SumitNaiksatam: i can also help
19:30:41 <SumitNaiksatam> others should read this spec carefully and express their opinion as well
19:30:44 <SumitNaiksatam> SridarK_: great
19:30:52 <SumitNaiksatam> ok, lets call it a wrap
19:30:59 <SumitNaiksatam> happy thanksgiving to all!
19:30:59 <SridarK_> Ok bye all
19:31:02 <Swami> will take a look at it.
19:31:03 <SumitNaiksatam> bye
19:31:05 <vishwana_> bye
19:31:06 <badveli> bye all
19:31:06 <SridarK_> Happy Thanks giving
19:31:14 <Swami> bye, happy thanksgiving
19:31:17 <SumitNaiksatam> #endmeeting