18:30:51 <SumitNaiksatam> #startmeeting Networking FWaaS 18:30:52 <openstack> Meeting started Wed Apr 1 18:30:51 2015 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:30:53 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:30:54 <pc_m> hi 18:30:56 <openstack> The meeting name has been set to 'networking_fwaas' 18:30:58 <SumitNaiksatam> pc_m: hi 18:31:17 <vishwanathj> pc_m, badveli, yushiro, Hi 18:31:26 <SumitNaiksatam> recap from the last week - 18:31:28 <yushiro> pc_m, hi 18:31:30 <badveli> hello vishwanathj 18:31:43 <SumitNaiksatam> Horizon - Adds configuration support to associate firewall to routers #link https://review.openstack.org/#/c/162552 18:31:44 <badveli> hello pc_m 18:31:46 <SumitNaiksatam> was merged 18:32:08 <SumitNaiksatam> vishwanathj: absubram: a ton of thanks for your committment on this 18:32:27 <vishwanathj> it was a great opportunity 18:32:29 <SumitNaiksatam> i think it went through a lot more churn than we anticipated 18:32:31 <yushiro> vishwanathj, absubram great work!! 18:32:53 <badveli> great work vishwanathj, absubram 18:33:28 <vishwanathj> absubram, amotoki and others from the horizon community did a great job of helping out 18:33:51 <SumitNaiksatam> vishwanathj: +1 18:33:56 <vishwanathj> in general, the OpenStack community rocks 18:34:47 <SumitNaiksatam> the client patch remains 18:34:55 <SumitNaiksatam> and i just noticed that there are two of them: 18:35:22 <SumitNaiksatam> i have one #link https://review.openstack.org/#/c/158118/, and there is a new one #link https://review.openstack.org/#/c/166776/ 18:35:51 <SumitNaiksatam> i am happy to abandon my patch, if the latter is better shape 18:35:57 <SumitNaiksatam> *is in 18:36:28 <SumitNaiksatam> #topic Bugs 18:37:23 <SumitNaiksatam> I dont think there is anything critical that showed up in the last week 18:37:47 <SumitNaiksatam> we are in the release candidate phase, so we should all be testing 18:38:28 <SumitNaiksatam> yushiro: you seemed to have made progress with #link https://review.openstack.org/#/c/147396/ 18:38:38 <SumitNaiksatam> vishwanathj: has a question 18:39:08 <yushiro> SumitNaiksatam, yes. I will update the launchpad description about this patch. 18:39:37 <vishwanathj> yushiro, Steps to reproduce from either the Horizon or CLI would be appreciated 18:40:35 <SumitNaiksatam> yushiro: thanks 18:40:36 <yushiro> vishwanathj, I understood. thank you 18:40:45 <SumitNaiksatam> any other bugs to discuss today? 18:41:10 <yushiro> SumitNaiksatam, I found the bug about FWaaS today. 18:41:23 <SumitNaiksatam> yushiro: ah ok, did you file it? 18:41:50 <yushiro> SumitNaiksatam, sorry, I have not written the bug-report yet. 18:42:27 <SumitNaiksatam> yushiro: ok, so what did you observe, we can discuss here 18:43:43 <yushiro> I found the bug about policy control for firewall-policy's "insert_rule" and "remove_rule" 18:44:13 <SumitNaiksatam> yushiro: okay 18:44:33 <SumitNaiksatam> yushiro: perhaps we will check the bug report when you post it on launchpad 18:45:30 <SumitNaiksatam> also on the doc bug, i am still behind on that - #link https://bugs.launchpad.net/openstack-api-site/+bug/1425658 18:45:31 <openstack> Launchpad bug 1425658 in openstack-api-site "FWaaS needs WADL doc to be available in the API reference" [High,Confirmed] - Assigned to Sumit Naiksatam (snaiksat) 18:45:35 <yushiro> SumitNaiksatam, Thank you. I'll post the launchpad. 18:45:55 <SumitNaiksatam> i will work on this but if anyone wants to pick it up sooner, please let me know, and i will be happy to hand over 18:46:04 <badveli> yes, we will check it when it is in the launchpad. 18:46:05 <SumitNaiksatam> pc_m: was your patch merged? 18:46:14 <pc_m> SumitNaiksatam: Yes! 18:46:23 <SumitNaiksatam> pc_m: sweet! :-) 18:46:40 <SumitNaiksatam> pc_m: any chance you have the link handy? 18:46:51 <SumitNaiksatam> pc_m: sorry i know you had posted earlier 18:46:56 <pc_m> SumitNaiksatam: And it is no longer marked as experimental 18:47:07 <SumitNaiksatam> pc_m: awesome! 18:47:18 <pc_m> #link https://review.openstack.org/167609 18:47:26 <SumitNaiksatam> pc_m: thanks 18:47:34 <pc_m> sure, np 18:47:58 <SumitNaiksatam> we need to do something similar for fwaas 18:48:14 <SumitNaiksatam> we already have some content 18:48:49 <pc_m> if you have stuff from the old netconn-api repo, you can cut/paste a bunch. 18:48:51 <vishwanathj> SumitNaiksatam, When does this need to be done by? 18:49:03 <vishwanathj> I maybe able to help starting next tuesday 18:49:22 <SumitNaiksatam> vishwanathj: i dont think there is a time set, but in my opinion this is ASAP 18:50:24 <vishwanathj> pc_m, what would be a good time estimate for FWaaS, since you have done it for VPNaaS, hence asking? 18:51:18 <pc_m> vishwanathj: It took me a few hours over 3 days to make the changes. 18:51:44 <SumitNaiksatam> vishwanathj: i will try to get to this, if not you can take over 18:51:59 <pc_m> So figure 8-10 hours of effort, then time to get the review. 18:52:29 <SumitNaiksatam> pc_m: true 18:52:31 <pc_m> It's pretty much a mechanical process. 18:53:03 <pc_m> If you have stuff from the old repo, it goes quicker. 18:53:10 <SumitNaiksatam> pc_m: true 18:53:24 <pc_m> If you have any questions, just ping me... I know the process now... 18:53:34 <SumitNaiksatam> pc_m: thanks much! 18:53:35 <SumitNaiksatam> #topic Functional/Integration tests in the gate 18:54:08 <SumitNaiksatam> i think SridarK mentioned that Nikolay was working on moving the FWaaS tempest tests to the neutron repo 18:54:26 <SumitNaiksatam> pc_m: you mentioned that there were some hurdles in the process? 18:54:32 <SumitNaiksatam> with vpnaas? 18:55:10 <pc_m> SumitNaiksatam: Well, for VPNaaS we only have the API tests, which are still in Neutron. 18:55:29 <pc_m> SumitNaiksatam: Nikolay was working on a scenario test for VPN and that has hit all sorts of issues. 18:55:42 <SumitNaiksatam> pc_m: ah okay 18:55:57 <pc_m> SumitNaiksatam: Main thing is that functional tests in the *aaS repos, cannot use the imports from tempest. 18:56:22 <pc_m> There is a tempest lib, but it is very limited in functionality. 18:56:25 <SumitNaiksatam> pc_m: but i thought you had a working functional test, no? 18:57:01 <pc_m> Nikolay had leveraged on tempest imports and now has to modify to make direct calls to Neutron to create the needed resources. 18:57:20 <pc_m> We have NEW functional tests that are upstreamed and working. 18:57:56 <pc_m> However, even that needs to be revised. The tests today, spin up DevStack and then run the tests. 18:57:56 <SumitNaiksatam> pc_m: yeah, i was referring to the ones like this: #link https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/tests/functional/strongswan/test_strongswan_driver.py 18:58:20 <SumitNaiksatam> pc_m: yeah, so they are more like integration tests? 18:58:29 <pc_m> Goal is to instead, just use devstack to setup the environment and not actually stack. 18:59:02 <SumitNaiksatam> pc_m: by “environment” you mean the OS? 18:59:06 <pc_m> SumitNaiksatam: Actually, no. They need the environment, but don't need VMs running or anything. It's just how the functional tests were set up. 18:59:10 <SumitNaiksatam> OS -> operating system 18:59:22 <pc_m> SumitNaiksatam: Database configured mostly. 19:00:02 <pc_m> So, I'm working on modifying the functional job to be more like Neutron is (now) and only setup the environment and not stack. 19:00:10 <SumitNaiksatam> pc_m: okay 19:00:19 <pc_m> Our existing functional tests will work with that. 19:00:21 <SumitNaiksatam> pc_m: so setup only the neutron DB 19:00:46 <SumitNaiksatam> pc_m: why is the in memory DB not good for such a thing? 19:00:55 <pc_m> SumitNaiksatam: Yeah, and some other little things (accounts, passwords, env vars). 19:01:22 <pc_m> SumitNaiksatam: Not sure, I think they have it set up for MySql and Postgres 19:02:01 <pc_m> Bottom line is that the VPN functional tests today, spin up devstack, which is really heavy. Neutron is moving away from that and 19:02:09 <SumitNaiksatam> pc_m: ok 19:02:10 <pc_m> using a new script to setup stuff. 19:02:34 <pc_m> see neutron/tools/configure_for_func_testing.sh 19:02:36 <SumitNaiksatam> pc_m: i was trying to understand why MySQL DB is required, and in-memory is not enough (just like what we have UT) 19:02:52 <SumitNaiksatam> pc_m: thanks for the pointer 19:02:55 <pc_m> SumitNaiksatam: Not really sure. 19:03:24 <SumitNaiksatam> so this is obviously a critical activity for the FWaaS team 19:03:46 <SumitNaiksatam> currently we have a gate job and hooks (which we might need to tweak per pc_m’s comments last week) 19:03:53 <pc_m> They essentially install all the packages, setup Rabbit, rootwrap daemon, etc. 19:03:56 <SumitNaiksatam> but we need to start adding functional tests as well 19:04:49 <SumitNaiksatam> we can use the VPNaaS example for the format and the nature of the functional tests 19:04:49 <pc_m> Yeah two pointers are... try to make the tests not depend on devstack actually running, and start thinking about adjusting the hook scripts to use the neutron mechanism. 19:05:14 <SumitNaiksatam> pc_m: thanks for those 19:05:23 <pc_m> Note: we got a lot of push back along the lines of making sure to do as much as possible in UTs. 19:05:50 <pc_m> We had some functional tests that we had to move to unit tests. 19:05:59 <SumitNaiksatam> pc_m: that is really interesting! 19:06:14 <SumitNaiksatam> pc_m: i thought we were doing functional type testing in the UTs 19:06:20 <SumitNaiksatam> pc_m: and wanted to move away from that 19:06:43 <SumitNaiksatam> pc_m: but perhaps in this case it was the opposite 19:07:22 <SumitNaiksatam> pc_m: for the benefit of the team, do you mind elaborating what constitutes as fucntional tests (based on your experience of what was expected in the context of vpnaas)? 19:08:06 <pc_m> SumitNaiksatam: Essentially, they (cores) are looking for us to do testing that doesn't require interaction with the system as UTs. 19:09:00 <pc_m> SumitNaiksatam: You're right though that, in doing that many of the UTs we have are really high level an span across numerous things. 19:09:20 <pc_m> Like exercising the API all the way down through. 19:10:15 <pc_m> So, in that respect, some of our UTs are acting like functional tests, even though they don't interact with other system components. 19:11:17 <pc_m> I think the idea is to have UTs check the low level feature, with no interactions with other components or the system, and have FTs for cases where multiple components interact, and/or interaction with the system is needed. 19:11:24 <SumitNaiksatam> pc_m: so in our case, a functional test would be: creating a firewall policy with rules, creating a firewall with that firewall, associating it with a router, and then checking that the iptables rules are actually applied? 19:11:33 * pc_m hoping it's not too confusing 19:11:56 <SumitNaiksatam> pc_m: that would be my basic example of a functional test in the FWaaS context 19:12:06 <pc_m> SumitNaiksatam: Yeah I think so, as seceral components are interacting. 19:12:28 <SumitNaiksatam> the testing for the application of iptables rules will have to be done at the operating system level 19:12:47 <SumitNaiksatam> i dont think we need to test all combination of the rules 19:12:55 <SumitNaiksatam> but just that rules are actually applied 19:13:08 <SumitNaiksatam> this one test wil also add a lot of value 19:13:45 <pc_m> For the case of FT doing UT like things, we had a VPN driver that was checking that the config file was generated correctly for OpenSwan. It was commented that we could do that in a UT and just check the file contents without checking that VPN is working with that config. 19:13:46 <SumitNaiksatam> any takers in the team for writing this test? ;-) 19:13:54 <badveli> sumit we are saying the UT will be at iptables rules 19:14:22 <SumitNaiksatam> badveli: sorry i dont understand that comment 19:15:08 <badveli> thanks to pcm for the details, as per him the UT should be at the low level where no interactions with the system is needed 19:15:39 <pc_m> badveli: or no interaction with multiple components. 19:16:03 <SumitNaiksatam> badveli: low level can interpreted in multiple ways 19:16:15 <badveli> thanks pc_m, yes sumit 19:16:34 <badveli> i am trying to check if we need to split our existing UT 19:16:40 <SumitNaiksatam> badveli: i think what pc_m means by low level here is a small and independent unit for functionality 19:17:10 <SumitNaiksatam> badveli: i would think its more important to add a functional test, then immediately rework the existing UTs 19:17:30 <badveli> fine sumit, thanks 19:17:37 <SumitNaiksatam> badveli: or perhaps you are indicating that you want to “adpat” an existing UT to a functional test 19:17:50 <pc_m> SumitNaiksatam: Yeah. One of the things I was hearing was to try not to use the more "expensive" functional tests, if you can get away with a UT. 19:17:53 <badveli> yes since some existing UT 19:17:56 <SumitNaiksatam> badveli: which is a good way to move forward 19:18:00 <badveli> will fall as canditates 19:18:06 <SumitNaiksatam> badveli: true 19:18:15 <SumitNaiksatam> i guess this will be a case by case evaluation 19:18:22 <badveli> yes 19:18:38 <SumitNaiksatam> per pc_m’s comment we have to be mindful of what we are spinning up in the functional test 19:19:12 <SumitNaiksatam> running the entire stack might be too heavy (our current job does that) 19:19:15 <badveli> yes 19:19:17 <pc_m> SumitNaiksatam: Correct, and FW tests are like VPN and end up doing a whole stack. 19:19:47 <pc_m> We're trying to change VPN to be like Neutron has done, and only do the setup and not stack/ 19:19:52 <SumitNaiksatam> will be really nice if someone in the team can take one test case (I mentioned a candidate above) and tried to implement that 19:20:10 <pc_m> SumitNaiksatam: FYI: Here's the link of my try to change the hook scripts: https://review.openstack.org/#/c/168115/ 19:20:15 <SumitNaiksatam> once we have one implemented functional test, i think it will make it easier for others to add as well 19:20:23 <SumitNaiksatam> pc_m: ah nice 19:20:34 <pc_m> SumitNaiksatam: It fails on StrongSwan, something with rootwrap. I need to figure out why. 19:21:05 <SumitNaiksatam> pc_m: okay, fortunately we dont have such depedencies 19:21:17 <SumitNaiksatam> pc_m: iptables should always be present :-) 19:21:56 <SumitNaiksatam> alrighty, anything more on this topic? 19:22:03 <pc_m> SumitNaiksatam: YEah the OpenSwan tests with normal rootwrap work, but the StrongSwan ones are failing. I'm not really familiar with that area, so need to ask around. 19:22:06 <SumitNaiksatam> pc_m: thanks for all the pointers 19:22:15 <pc_m> SumitNaiksatam: Sure. 19:22:16 <SumitNaiksatam> #topic Open Discussion 19:22:23 <SumitNaiksatam> did we miss anything for today 19:22:25 <SumitNaiksatam> ? 19:22:37 <SumitNaiksatam> i believe the Neutron etherpad for the design summit has been posted 19:22:46 <badveli> do we have some time to add the functional tests 19:23:09 <badveli> sumit will sync up with you afterwards 19:23:13 <SumitNaiksatam> badveli: i believe they will accept functional tests 19:23:17 <SumitNaiksatam> badveli: that would be great 19:23:44 <SumitNaiksatam> even if they dont for the kilo cycle, i think liberty will open soon, so we should be able to merge one way or the other 19:24:02 <yamahata> Will we create fwaas specific etherpad? 19:24:02 <badveli> ok, thanks 19:24:05 <SumitNaiksatam> #link https://etherpad.openstack.org/p/liberty-neutron-summit-topics 19:24:12 <SumitNaiksatam> the design summit etherpad 19:24:38 <yamahata> or use the neutron etherpad? 19:25:14 <SumitNaiksatam> yamahata: hi, thanks for joining 19:25:20 <SumitNaiksatam> yamahata: good question 19:25:44 <SumitNaiksatam> yamahata: i dont know what the thinking is on this, but i havent heard that the *aas are getting separate sessions 19:25:53 <SumitNaiksatam> dougwig: hi there 19:26:45 <SumitNaiksatam> pc_m: do you know if we are doing separate etherpads for *aaS, i am guessing not 19:27:10 <SumitNaiksatam> i am guessing we get session time as a part of the neutron sessions, and hence share the same etherpad 19:27:15 <dougwig> SumitNaiksatam: my ears are burning! 19:27:17 <pc_m> SumitNaiksatam: Haven't heard anything. though this is the first time I've looked at the etherpad too :) 19:27:38 <SumitNaiksatam> dougwig: burning from what? 19:27:55 <dougwig> you tell me, you said 'hi there', my client buzzed. :) 19:28:04 <SumitNaiksatam> dougwig: ah 19:28:28 <SumitNaiksatam> dougwig: for the design summit do you know if *aaS will be part of the neutron summit agenda? 19:28:40 <dougwig> i asked for one of the smaller worrking groups for an lbaas session to discuss v2 features, now that it's shipped. no idea if it'll get room. 19:28:51 <SumitNaiksatam> dougwig: ah okay 19:28:57 <yamahata> Anyway If we have many fwaas items, we can split them at that time. 19:29:02 <dougwig> we're all part of neutron, so certainly put your needs/wants in the etherpad. 19:29:10 <SumitNaiksatam> dougwig: i did not see any lbaas on the neutron etherpad so was wondering 19:29:22 <SumitNaiksatam> dougwig: yeah thats what i thought we were supposed to do 19:29:41 <SumitNaiksatam> its already a long list though 19:29:47 <SumitNaiksatam> dougwig: thanks for the input 19:29:50 <dougwig> i think fwaas currently has a slow for one of the big "fishbowl" sessions, iirc. 19:29:54 <dougwig> /slow/slot/ 19:30:42 <SumitNaiksatam> dougwig: oh, did not notice it in the etherpad 19:30:54 <SumitNaiksatam> dougwig: is it on the schedule? 19:30:59 <pc_m> I see Openflow FW driver as lightning session. 19:31:13 <pc_m> Don't see anything else. 19:31:17 <dougwig> *loooks*. must've been an earlier etherpad. put something back in, if you've got topics. 19:31:28 <SumitNaiksatam> pc_m: i think that is different, that is for security groups if i am not mistaken 19:31:39 <SumitNaiksatam> dougwig: right 19:32:21 <SumitNaiksatam> yamahata: hope that answers your question :-) 19:32:29 <SumitNaiksatam> okay we are 2 mins over time 19:32:34 <SumitNaiksatam> anything else that we missed? 19:33:11 <SumitNaiksatam> alrighty, thanks everyone! 19:33:12 <SumitNaiksatam> bye! 19:33:15 <vishwanathj> bye 19:33:16 <yushiro> bye! 19:33:18 <yamahata> thanks bye 19:33:19 <SumitNaiksatam> #endmeeting