18:30:56 <SumitNaiksatam> #startmeeting Networking FWaaS 18:30:57 <openstack> Meeting started Wed Apr 8 18:30:56 2015 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:30:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:31:00 <openstack> The meeting name has been set to 'networking_fwaas' 18:31:01 <SridarK> badveli: yamahata: yushiro: hi 18:31:09 <badveli> hello sridark 18:31:13 <SumitNaiksatam> #topic Bugs 18:32:09 <SumitNaiksatam> this is a doc bug: #link https://bugs.launchpad.net/openstack-manuals/+bug/1440864 18:32:10 <openstack> Launchpad bug 1440864 in openstack-manuals "Firewall-as-a-Service (FWaaS) overview in OpenStack Cloud Administrator Guide - current" [Undecided,New] 18:32:19 <SumitNaiksatam> we need someone to look at it 18:33:00 <SumitNaiksatam> yushiro: regarding #link https://bugs.launchpad.net/neutron/+bug/1439383 18:33:02 <openstack> Launchpad bug 1439383 in neutron "FWaaS - the action of firewall-policy "insert_rule" and "remove_rule" not exist in policy.json" [Undecided,New] - Assigned to Yushiro FURUKAWA (y-furukawa-2) 18:33:18 <SumitNaiksatam> pc_m: hi 18:33:22 <pc_m> hi! 18:33:27 <SumitNaiksatam> yushiro: are you planning to post a patch? 18:33:34 <yushiro> pc_m, hi 18:33:54 <pc_m> yushiro: Hi 18:33:56 <yushiro> SumitNaiksatam, yes. I'll post the patch. 18:34:15 <SumitNaiksatam> yushiro: thanks! 18:34:39 <SridarK> SumitNaiksatam: i will look into 1440864 18:34:42 <SumitNaiksatam> the following is another relatively minor bug: #link https://review.openstack.org/#/c/169239/ 18:34:48 <SumitNaiksatam> SridarK: thanks much 18:35:07 <SumitNaiksatam> i thought the change was good, not sure why the gate keeps failing on that, i havent investigated 18:35:43 <SumitNaiksatam> we have this high priority doc bug: #link https://bugs.launchpad.net/openstack-api-site/+bug/1425658 18:35:44 <openstack> Launchpad bug 1425658 in openstack-api-site "FWaaS needs WADL doc to be available in the API reference" [High,In progress] - Assigned to Sumit Naiksatam (snaiksat) 18:35:49 <SumitNaiksatam> i posted a patch for that 18:35:57 <SumitNaiksatam> still little more work to do 18:36:05 <SumitNaiksatam> i also volunteered co-authors ;-P 18:36:29 <SumitNaiksatam> so first priority is to bring it in sync with the older documentation 18:36:38 <SumitNaiksatam> and then add the router insertion specific details 18:36:41 <SridarK> SumitNaiksatam: I am trying to add some stuff into the common.ent file 18:36:43 <pc_m> SumitNaiksatam: Gates on 169239 is because of Neutron UT changes. 18:37:07 <SumitNaiksatam> pc_m: ah ok, the recent changes 18:37:12 <SumitNaiksatam> pc_m: thanks 18:37:28 <pc_m> SumitNaiksatam: Should be fixed by my commit https://review.openstack.org/171602. Just rebase. 18:37:30 <SridarK> SumitNaiksatam: +1 to pc_m 18:37:55 <SumitNaiksatam> pc_m: was just going to say, not sure why he didnt try a rebase 18:38:06 <SumitNaiksatam> perhaps we can post a comment with the suggestion 18:38:20 <pc_m> SumitNaiksatam: Will do. 18:38:28 <vishwanathj> should not the Rebase Change button work from the patch link 18:39:28 <pc_m> vishwanathj: Might, but might not, as there may be conflict in test file. 18:39:33 <vishwanathj> nevermind, When I do that, I get the error "The Change could not be rebased due to a patch conflict during merge" 18:39:47 <pc_m> vishwanathj: :) 18:40:08 <SridarK> test_db_firewall.py shd have conflicts 18:40:12 <pc_m> SumitNaiksatam: What;s the patch number for the doc change? 18:40:34 <SridarK> the day that button works always we will all be redundant :-) 18:40:46 <vishwanathj> :) 18:41:16 <pc_m> LoL 18:41:18 <SumitNaiksatam> pc_m: which one? 18:41:43 <pc_m> You mentioned the WADL, you have a patch? Or is it not up for review yet? 18:41:59 <SumitNaiksatam> #link https://review.openstack.org/#/c/170733/ 18:42:02 <SumitNaiksatam> pc_m: ^^^ 18:42:11 <pc_m> thanks 18:42:48 <SridarK> pc_m: u had filled in the common.ent file manually for vpn ? 18:43:02 <SridarK> i recall u saying something to that effect 18:43:18 <pc_m> SridarK: yeah I did everything manually. 18:43:30 <SridarK> pc_m: i will ping u offline for some pointers on that 18:43:30 * pc_m manual = cut and paste :) 18:43:42 <SumitNaiksatam> pc_m: :-) 18:43:44 <SridarK> pc_m: boy that file makes my head spin :-) 18:43:54 <SumitNaiksatam> pc_m: i took that advice to heart ;-) 18:44:16 <pc_m> SridarK: Sure we can chat. It makes sense once you play with it for a while. 18:44:28 <SridarK> pc_m: ok thx 18:44:51 <SumitNaiksatam> any other interesting bugs we missed today? 18:45:05 <vishwanathj> I need to respond to Yushiro's patch set..... 18:45:10 <SridarK> SumitNaiksatam: nothing else i believe 18:45:21 <SumitNaiksatam> SridarK: okay 18:45:24 <SumitNaiksatam> vishwanathj: link? 18:45:46 <vishwanathj> https://review.openstack.org/#/c/147396/ 18:46:01 <yushiro> vishwanathj, thank you! 18:46:13 <vishwanathj> for some reason, I am still able to reproduce the issue after I apply the patch 18:46:52 <vishwanathj> yushiro, you may need to upload another patchset as Jenkins as failed with error "Patch in merge conflict" 18:47:22 <SumitNaiksatam> vishwanathj: ah, yeah noticed your comment earlier, thanks for trying it out 18:47:50 <SumitNaiksatam> #topic Functional/Integration tests in the gate 18:48:03 <SumitNaiksatam> badveli: you said wanted to give this a shot? 18:48:13 <badveli> yes thanks for your pointers 18:48:33 <yushiro> vishwanathj, I see. I will upload the patch. current my patch status is 'Merge Conflict'. I don't know why.. 18:48:39 <badveli> i went through the test that you had mentioned 18:48:45 <SumitNaiksatam> for the basic test i was proposing last week, i was thinking something along the lines of what this is doing: #link https://github.com/openstack/neutron/blob/master/neutron/tests/functional/agent/linux/test_iptables_firewall.py 18:49:06 <SumitNaiksatam> badveli: okay great 18:49:23 <SumitNaiksatam> badveli: you want to discuss here your findings? 18:50:09 <badveli> looks to me we can do some thing similar as you had mentioned set up firewall and do some functional test like allow or deny case 18:50:22 <SridarK_> SumitNaiksatam: badveli: is this for Scenario tests ? 18:50:24 <badveli> sent some traffic and check 18:51:15 <SumitNaiksatam> SridarK_: this is for functional tests 18:51:29 <SridarK_> SumitNaiksatam: so API or beyond ? 18:51:38 <SumitNaiksatam> SridarK_: in the last week we discussed with pc_m as to how we can get some functional tests going 18:51:59 <SumitNaiksatam> with functional tests the idea is to not require the entire opesntack stack to be running 18:52:22 <SridarK_> SumitNaiksatam: ok got it - sorry - will catch up on logs 18:52:31 <yamahata> Do you have any idea on how to create packet? 18:52:33 <badveli> sridark to check the functionality of the firewall in affect 18:52:42 <SumitNaiksatam> but perhaps just exercise the fwaas code such that it triggers the configuration iptables rules 18:53:04 <SumitNaiksatam> yamahata: do we need to create a packet? 18:53:18 <SumitNaiksatam> yamahata: i was not thinking in terms of testing the datapath 18:53:30 <yamahata> it depends on what firewall rule to be tested. 18:53:31 <yamahata> Okay 18:53:33 <SumitNaiksatam> yamahata: but testing that the expected iptables rules are applied 18:53:43 <SridarK_> ok makes sense - we can actually just check the iptables to see if the rule manifests in iptables 18:53:51 <SumitNaiksatam> SridarK_: yeah 18:54:10 <SumitNaiksatam> since we can rely that iptables is independently tested for the data path 18:54:29 <SridarK_> SumitNaiksatam: yes and easier and more light weight makes total sense 18:54:37 <SumitNaiksatam> of course we need to ensure that we are validating against the right critieria (in terms of what we expect the rules to be applied) 18:54:51 <badveli> sumit in the tests that you had mentioned they check ping traffic 18:55:00 <SumitNaiksatam> badveli: ah okay 18:55:07 <SumitNaiksatam> so they do test the datapath 18:55:08 <badveli> they use some helper 18:55:28 <SumitNaiksatam> badveli: good to know 18:55:50 <SumitNaiksatam> pc_m: i guess any tests that we now land will go into liberty, right? 18:56:16 <pc_m> yeah 18:57:12 <SumitNaiksatam> badveli: let us know how your investigation goes 18:57:21 <badveli> thanks to pc_m for reorganizing the unit test case 18:57:27 <SumitNaiksatam> badveli: and once you have some plan around this, lets share with the rest of the team 18:57:41 <SumitNaiksatam> badveli: that way we can split the work and get more people involved 18:57:46 <badveli> yes, also one more question will the functional test fall in different path 18:57:49 <pc_m> Sure, np. I had to do VPN and had a script to help, so I used it on FW. 18:58:01 <SumitNaiksatam> yamahata: i believe you have some experience in this as well 18:58:16 <yamahata> Sure, willing to get involved/help 18:58:17 <SumitNaiksatam> yamahata: so please chime in with your suggestions 18:58:28 <SumitNaiksatam> yamahata: awesome!! 18:58:32 <badveli> yes sumit, i started looking at that test and will update 18:58:54 <SumitNaiksatam> badveli: great, thanks! 18:59:18 <SumitNaiksatam> badveli please keep yamahata in close loop, he has good experience with this 18:59:42 <yamahata> badveli: please Yalei too 18:59:43 <badveli> the functional tests will be under which a seperate directory structure 18:59:51 <SumitNaiksatam> badveli is also local (with reference to your location), so you can bug him ;-P 18:59:56 <badveli> ok, thanks yamahata 19:00:10 <badveli> ok, thanks yamahata and sumit 19:00:47 <SumitNaiksatam> badveli: we have made a start in terms of the directory structure #link https://github.com/openstack/neutron-fwaas/tree/master/neutron_fwaas/tests/functional 19:00:57 <badveli> sorry i saw we have a directory structure 19:01:06 <SumitNaiksatam> SridarK_: you mentioned that Nikolay was working on the tempest tests (scenario tests?) 19:01:07 <badveli> yes thanks sumit 19:01:21 <SumitNaiksatam> SridarK_: that will be a different effort from this 19:01:22 <SridarK_> SumitNaiksatam: yes he will be doing that 19:01:29 <SumitNaiksatam> just to make sure we are all on the same page 19:01:29 <SridarK_> SumitNaiksatam: got it 19:01:53 <SumitNaiksatam> SridarK_: and it would be good to track that effort here as well 19:02:02 <SumitNaiksatam> SridarK_: i believe this is a bad time fo Nikolay 19:02:21 <SumitNaiksatam> so may be you can proxy him (i believe pc_m is in close discussion with him as well) 19:02:22 <SridarK_> #link https://review.openstack.org/#/c/165859 19:02:36 <SridarK_> patch from him for insertion mode 19:02:41 <SumitNaiksatam> SridarK_: bam!! sweet!! 19:02:45 <SridarK_> but will probab go to L 19:02:59 <SridarK_> SumitNaiksatam: yes i will proxy for Nikolay 19:03:10 <SumitNaiksatam> seems like an ultra lite patch though ;-) 19:03:32 <SridarK_> SumitNaiksatam: yes wanted to get a patch out - but working with him to improve coverage 19:03:51 <SumitNaiksatam> looking at the most recent comment, i agree as well, perhaps need a separate test case 19:03:56 <pc_m> SumitNaiksatam: FYI, Nikolay is in Russia. 19:04:33 <SridarK_> SumitNaiksatam: yes and more work is needed 19:04:33 <SumitNaiksatam> pc_m: thanks, yes, good for everyone to know 19:05:15 <SumitNaiksatam> SridarK_: its great that Nikolay is on this, i dont mean to belittle the work in any way 19:05:21 <SumitNaiksatam> sorry if i sounded like that 19:05:39 <SridarK_> SumitNaiksatam: no totally understand did not take it that way at all just wanted to clarify 19:06:05 <SumitNaiksatam> its take a lot of time and effort to just get the environment setup to be able start writing and tests like these 19:06:15 <SumitNaiksatam> so its fantastic that he is at this point 19:06:32 <SumitNaiksatam> because if you get one test going, then i think its relatively easier to add more 19:06:38 <SridarK_> SumitNaiksatam: he is working with pc_m for vpnaas as well 19:06:59 <SumitNaiksatam> pc_m: on that, you mentioned there were some issues that other neutron cores had raised 19:07:16 <SumitNaiksatam> pc_m: has that been sorted out, and the feedback conveyed to Nikolay? 19:08:00 <pc_m> SumitNaiksatam: Yeah, main issue was that tests were using tempest repo imports. Nikolay has been working on doing the test w/o tempest. 19:08:11 <SumitNaiksatam> pc_m: ah okay 19:08:23 <pc_m> SumitNaiksatam: He just posting something today, but I haven't looked at it yet. 19:09:06 <pc_m> SumitNaiksatam: I mentioned to him that in Neutron they now have "fixtures" (see Fake* classes), and that maybe that would help as well 19:09:15 <SumitNaiksatam> pc_m: okay 19:09:34 <pc_m> SumitNaiksatam: I haven't looked into the Fixtures much, but seems like they have things for ports, routers, networks, etc. 19:10:08 <SumitNaiksatam> pc_m: okay, thanks for relaying that information 19:10:15 <pc_m> SumitNaiksatam: In short, there's a bunch to be done for the scenario test, but we've got time, as it'll land in Liberty. 19:10:26 <SumitNaiksatam> pc_m: true 19:11:04 <SumitNaiksatam> the first test will take time, after that it will be much easier to scale this out to more people 19:11:50 <SumitNaiksatam> anything more to discuss today on the topic of functional/integration tests? 19:12:20 <SumitNaiksatam> ok moving on 19:12:25 <SumitNaiksatam> #topic Open Discussion 19:12:55 <SumitNaiksatam> as regards the design summit 19:13:05 <SumitNaiksatam> #link https://etherpad.openstack.org/p/liberty-neutron-summit-topics 19:13:06 <vishwanathj> Do any of the vendor have to refactor their code as a result of https://review.openstack.org/#/c/169239/ getting merged? 19:14:02 <SumitNaiksatam> vishwanathj: i doubt it 19:14:10 <vishwanathj> looks like the Vyatta Firewall agent code might have to respin? I am investigating the impact and code changes 19:14:36 <vishwanathj> SumitNaiksatam, Ok 19:15:07 <SumitNaiksatam> vishwanathj: okay 19:15:09 <SridarK_> vishwanathj: i would have thought this should not have any impact 19:15:25 <SumitNaiksatam> there seems to be a comment in the etherpad: “The future of FWaaS: What do we do with it, how it relates to security groups, etc.” 19:15:41 <SumitNaiksatam> line item 43 19:16:45 <SridarK_> SumitNaiksatam: interesting :-) 19:16:53 <SumitNaiksatam> you can go through the time line and see who added that 19:17:00 <SumitNaiksatam> i am guessing its not someone from this team 19:17:10 <SumitNaiksatam> i cant tell clearly who it is 19:17:15 <SridarK_> SumitNaiksatam: should the answer be "Bright" :-) 19:17:21 <SridarK_> the future that is :-) 19:17:28 <SumitNaiksatam> SridarK_: :-) 19:17:42 <vishwanathj> SumitNaiksatam, SridarK_, vyattaFirewallAgent implements the method process_router() method, refer https://review.openstack.org/#/c/169239/.... 19:18:24 <SumitNaiksatam> vishwanathj: okay 19:18:48 <SumitNaiksatam> so if you have any firewall related topics that you need to add, please add them to etherpad 19:19:10 <vishwanathj> wrong link, refer https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/agents/vyatta/fwaas_agent.py 19:19:36 <vishwanathj> the patchset https://review.openstack.org/#/c/163222/6/neutron/agent/l3/agent.py removes the call to process_router() 19:20:05 <SridarK_> vishwanathj: ok - i was getting really confused as that was a one line change 19:21:09 <vishwanathj> SridarK_, I need to investigate what the corresponding change should be ....was wondering if the other vendor codes had already looked into it and assessed the impacts.... 19:21:35 <SridarK_> vishwanathj: we have our own agent so this should not impact us 19:21:43 <vishwanathj> looks like you guys may not be impacted and the Vyatta code might be....will approach you guys for guidance if needed 19:21:45 <SridarK_> but other vendors may have a similar situation 19:22:25 <vishwanathj> pc_m, was the VPN code impacted? 19:23:33 <pc_m> vishwanathj: I don't think so. 19:23:50 <vishwanathj> pc_m, Thanks 19:24:25 <pc_m> Tests pass, so it must work :) 19:24:31 <vishwanathj> :) 19:24:37 <SumitNaiksatam> pc_m: :-) 19:24:50 <SumitNaiksatam> okay anything else for today? 19:25:32 <badveli> viswanathj i am looking at the agent patch, will update if we need to change in the mean time let me know how are you handling the removed process_router 19:25:57 <vishwanathj> badveli, I need to investigate, will keep you posted on what I find out 19:26:16 <badveli> ok, thanks 19:26:19 <vishwanathj> became aware of this only this morning 19:26:46 <pc_m> vishwanathj: VPN just listens for the events, which happen in _process_added_router() and _process_updated_router(). 19:27:06 <pc_m> vishwanathj: FW could do the same thing, and decouple from the agent, if desired. 19:27:56 <vishwanathj> pc_m, thanks, let me spend some time trying to grasp this...will probably ping you on IRC if I have questions 19:27:59 <badveli> thanks pc_m for the pointers 19:28:07 <pc_m> IOW, VPN "subscribes" for notifications of various events from agent, and then has handlers for those events. FW can do the same thing, if action needed on the events. 19:28:14 <pc_m> vishwanathj: sure 19:29:02 <SumitNaiksatam> pc_m: yes 19:29:22 <SumitNaiksatam> pc_m: thanks much for jumping in and fixing the UT failures 19:29:42 <SumitNaiksatam> pc_m: by the time i woke up and noticed that there was an issue, you had it fixed ;-) 19:29:46 <pc_m> Sure np. I did a fix for the check bash script thing too, but it'll have to wait for liberty 19:29:56 <SumitNaiksatam> pc_m: ok 19:30:02 <pc_m> yeah earlt bird gets the worm :) 19:30:12 <pc_m> early 19:30:39 <SumitNaiksatam> pc_m: :-) 19:30:44 <SumitNaiksatam> thanks eveyrone 19:30:47 <SumitNaiksatam> bye! 19:30:50 <pc_m> bye 19:30:52 <vishwanathj> bye 19:30:55 <yushiro> Bye bye 19:30:56 <yamahata> bye 19:30:57 <SumitNaiksatam> #endmeeting