18:29:29 <sc68cal> #startmeeting networking_fwaas 18:29:30 <openstack> Meeting started Wed Nov 18 18:29:29 2015 UTC and is due to finish in 60 minutes. The chair is sc68cal. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:29:31 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:29:34 <openstack> The meeting name has been set to 'networking_fwaas' 18:30:06 <vishwanathj> hi 18:30:07 <sc68cal> Unless there are any objections i'd like to dedicate the whole hour to just discussing the new api spec 18:30:13 <SridarK> +1 18:30:18 <mickeys> +1 18:30:22 <annp> Hi 18:30:29 <bharath> Hi 18:30:36 <xgerman> hi 18:30:53 <badveli> hello all 18:31:10 <sc68cal> #topic API spec review - https://review.openstack.org/243873 18:31:17 <jwarendt> hi 18:31:19 <madhu_ak> hi 18:31:31 <xgerman> yeah, I like us to get that approved right after Thanksgiving 18:31:43 <xgerman> aka M1 18:32:10 <sc68cal> xgerman: ack. the latest revision has me hopeful 18:32:20 <xgerman> me, too 18:32:22 <xgerman> :-) 18:32:39 <SridarK> yes i think we are fairly close too 18:32:40 <s3wong> hello 18:32:45 <mickeys> What do we intend for scope of the spec. Just defining the API? Or going into backend reference implementation as well? 18:32:52 <sc68cal> mickeys: just the API. 18:32:56 <xgerman> +1 18:33:06 <badveli> i had some questions on the common backend which i will point out in spec 18:33:18 <sc68cal> badveli: no do not talk about backends in the spec please 18:33:19 <xgerman> well, that doesn’t matter on the API 18:33:42 <SridarK> so for the referennce implementation - we can create another one going off this as the master spec 18:33:51 <badveli> but i am not very clear on how we are going to incorporate 18:34:01 <badveli> ok thanks we will take it in another spec 18:34:34 <xgerman> sc68cal we should alo talk midcycle 18:34:45 <xgerman> after the API discussion 18:35:10 <sc68cal> xgerman: good point, 15 minutes enough? 18:35:14 <xgerman> yep 18:35:21 <xgerman> likely less 18:35:48 <xgerman> so back to API 18:36:24 * sc68cal opens up gertty 18:37:00 <badveli> i am thankful for incorporating the service group and firewall group's 18:37:29 <xgerman> how is tuff called? accept, reject, deny — or drop? 18:37:34 <sc68cal> the issue is there does not seem to be a way to actually add ports to a policy 18:37:52 <sc68cal> err 18:37:53 <SridarK> I am in the midst of the latest rev - one thought is that given that we are taking the reference impl out of this discussion - what we are going after is the final form ? 18:37:59 <sc68cal> firewall gropu 18:38:00 <sc68cal> *group 18:38:30 <xgerman> SridarK we should be able to start implementing a stubbed API server 18:38:32 <badveli> yes looked to me it is a consturct to group address 18:38:34 <xgerman> or extension 18:38:41 <mickeys> Through firewall group port association. Everything is CRU. 18:38:49 <badveli> firewall groups to be a construct to group address 18:38:59 <sc68cal> mickeys: right - but how is a association created via the API? 18:39:13 <xgerman> those class are missing 18:39:17 <mickeys> When I wrote things up in the etherpad, I was thinking of all the tables as API 18:39:32 <mickeys> I was not thinking that some are data model and others are API 18:39:50 <xgerman> well, we need to spec out the calls like we did for the rest 18:39:54 <mickeys> Aish: xgerman: What was the thought behind calling some data model? 18:40:30 <xgerman> yeah, we probably need to specify our tables somewhere 18:40:38 <SridarK> i think so too adding the CRU on an attribute should cover that 18:40:57 <sc68cal> My suggestion - perhaps add an attribute to the firewall group REST API resource - ports? 18:41:39 <mickeys> I think of the Firewall group attributes table and firewall group port association tables as the JSON body of REST APIs 18:42:07 <xgerman> mickeys, part of the spec are some example calls so we should do the same for the new constrcuts 18:42:16 <xgerman> and base it on those tables 18:42:42 <xgerman> otherwise we are inconsistent 18:42:43 <mickeys> Agreed. We need to define endpoints/URIs and give examples 18:42:59 <sc68cal> we're worse than inconsistent - we leave it undefined. 18:43:12 <SridarK> sc68cal: i think u are asking for something along the lines for policies etc that are shown 18:43:41 <sc68cal> SridarK: right - that will help, but we also need to show how someone would associate a port to a firewall group 18:43:47 <sc68cal> via the REST API 18:44:14 <SridarK> sc68cal: ok i get it makes it more clear for sure 18:45:47 <sc68cal> don't forget - this API spec will be around for a loooooong time, people will be using it to figure out how to implement 18:46:01 <badveli> yes looked from the firewall groups it looked like more address groups but not sure how they are applied ports 18:46:38 <mickeys> Firewall groups are primarily a collection of ports. Firewall group port association table is how you apply to ports. 18:47:13 <mickeys> Whether addresses should be in firewall groups in addition to ports, or have a separate address group is an open issue. Right now there is a separate address group. We need to decide this soon, preferrably now. 18:48:11 <SridarK> mickeys: my sense is that it would be simpler to keep them separate and the validation around this will be simpler 18:48:54 <sc68cal> mickeys: firewall group port association table is how we *store* 18:49:03 <badveli> thanks mickey i am trying to understand how is the firewall group port association table populated 18:49:09 <sc68cal> mickeys: it does not specify how a user actually sends an API request to get it to store 18:49:24 <sc68cal> and how it's formatted/structured/expressed 18:50:28 <xgerman> yep, that’s the gap we need to close with the next respin 18:51:21 <mickeys> Original preference was extension to port table, so that it could be defined when a port is created, but that was seen as potentially controversial. So we talked about specifying it in FWaaS tables. The question is whether there is a list of ports in the firewall group table, or a separate URI just for the firewall group port association 18:51:41 <sc68cal> mickeys: you're still thinking database tables though 18:52:13 <mickeys> Firewall group must be its own endpoint/URI, with the attributes specified in the table 18:52:28 <sc68cal> as a consumer of this API, what URI, what kind of JSON do I send to get Port AAAAA associated with firewall group BBBBB ? 18:52:48 <mickeys> Agreed that we need to specify this. 18:53:13 <sc68cal> I'm in agreement with the database model side, we're good there. 18:53:15 <mickeys> Aish: xgerman: You added the firewall group port table. Are you thinking separate URI? 18:53:55 <xgerman> nope, I think we mixed data model and REST calls 18:54:10 <jwarendt> Usually there is an encoded URI association ../firewall/<id>/ports/... at the REST level, or separate resources with URI/ID links. Need REST api first - db is implementation. 18:54:31 <sc68cal> jwarendt: +1 18:54:44 <mickeys> So add a list of ports as an attribute to the firewall group URI when we add that? 18:54:48 <jwarendt> Though ultimately need: 1) plugin interface 2) driver interface 3) db layer to go along with REST. 18:55:16 <sc68cal> mickeys: that sounds reasonable to me 18:55:16 <xgerman> 2) I think we have more than one driver interface for different aspects 18:55:26 <xgerman> sc68cal +! 18:55:28 <xgerman> +1 18:56:11 <xgerman> yeah, one of the aims of the new API is to not make it more difficult for the user. So he does;t have to create 10 things to get a firewall... 18:57:12 <sc68cal> we're very close - I can feel it 18:57:28 <xgerman> +1 18:57:43 <mickeys> Do we want to mention the port extension as well, and note that it may come later? The rationale for the port extension is that the person creating the port can adjust associated firewall groups as they are creating the port. I doubt an application deployer is going to mess with FWaaS. 18:58:04 <sc68cal> I'd rather not 18:58:05 <mickeys> There was some concern about the difficulty in adding things to the port table 18:58:26 <xgerman> well, as soon as you do something for all of Neutron velocity dies 18:58:28 <SridarK> so the fw group is the binding point of the policy and where it is applied - from a db perspective the association to ports can be a separate table 18:59:14 <xgerman> yep, and that keeps us adding things to the port table of the critical path 18:59:19 <SridarK> agree on the port extension - let that come later 19:00:20 <s3wong> mickeys: wouldn't the sequence of event being user creating port, and associate the port with a FW group? Why would a FW group already been associated with a port being created? 19:00:56 <SridarK> s3wong: the vm port case 19:01:01 <sc68cal> ^ this 19:01:11 <xgerman> s3wong we like the concept of a default firewall 19:01:11 <sc68cal> associate a new vm port to an existing policy 19:01:17 <mickeys> s3wong: That is the issue. By the time there is a VM port for us to associate / put in the list in the firewall group, the VM port is already active 19:01:23 <sc68cal> s/policy/firewall group/ 19:01:29 <mickeys> So, the default firewall group would apply temporarily 19:01:46 <xgerman> and then the user can change it to his likings 19:02:09 <xgerman> in the future you might be able to specify a firewall group on nova create 19:02:29 <SridarK> xgerman: thats vision :-) 19:02:42 <xgerman> yep, I should have said far future 19:02:48 <SridarK> :-) 19:03:08 <s3wong> xgerman: not a bad vision 19:03:21 <sc68cal> Do we have a good description of what service_group attribute of a firewall rule is? 19:03:21 <SridarK> +1 19:03:30 <mickeys> As far as document structure, I think the firewall group attributes should be moved to the API section, with the addition of a port list. We then need to figure out where to put the data model section, including the firewall group port association table 19:04:20 <xgerman> agreed, I think their is a data model impact in the spec teamplate 19:04:44 <badveli> sc68cal: the service group UUID can be referred by firewall, we had it in the service group spec 19:04:51 <mickeys> sc68cal: For service group, the question is how we can reference it as an important part of the API, but specify it outside in a separate spec 19:05:30 <sc68cal> mickeys: badveli: ok - but what does it *do* ? 19:05:30 <mickeys> Is it OK to leave it in the attributes table and refer to another spec? 19:05:45 <badveli> mickeys: i think that is fine 19:05:48 <xgerman> I think this is what we have to do 19:06:00 <SridarK> mickeys: yes i think we can point to badveli's spec 19:06:08 <badveli> we can reference it 19:06:15 <mickeys> A group of objects, each with protocol, source L4 port range, dest L4 port range. In the future, L7 objects such as application ID. 19:06:17 <SridarK> and leave it as something that is being explored for the future 19:06:35 <xgerman> (and might become some classifier)\ 19:07:01 <badveli> sc68cal: the service group spec clearly mentions the functionality i did not add L7 objects as of now 19:07:04 <mickeys> The thought is, for a particular application, there will be certain protocol/L4port combinations that you will want enabled. Once someone specifies the service group for that application, you can reuse that over and over again, wherever that application is deployed. 19:07:32 <sc68cal> so basically a classifier 19:07:38 <mickeys> Exchange, SAP, etc 19:07:42 <sc68cal> or multiple classifiers 19:07:49 <mickeys> Not a full classifier. Nothing to do with addresses or identity. 19:08:04 <sc68cal> classifier doesn't have to require addresses 19:08:08 <s3wong> list of application classifiers 19:08:12 <xgerman> yeah, so I think keeping that out of the API spec gives us some flexibility later 19:08:26 <mickeys> Say if I want to use exchange or SAP or FTP ... 19:08:28 <sc68cal> and I'd like to remove the attribute from the API for now 19:08:41 <sc68cal> we can add it back in once we have something more concrete 19:09:11 <xgerman> mmh, we have the service group so it shouldn’t matter if they are done with classifiers or not 19:09:17 <xgerman> matter to the API 19:09:30 <sc68cal> we're already making a big hunk of work by having address groups 19:09:36 <badveli> sc68cal: should we have it there , i am pretty sure this will decouple the notion of service from the firewall 19:10:02 <sc68cal> as well as firewall gruops 19:11:01 <sc68cal> SridarK: what are your thoughts 19:11:03 <SridarK> sc68cal: yes i have some concerns on actually what we will implement - but if we keep this spec as the end goal and we call out implementation for M outside of this 19:11:11 <SridarK> sc68cal: u read my mind 19:11:32 <SridarK> sorry straddling mtgs 19:12:02 <xgerman> yeah, I think we should spec out what we want and then figure out the implementation strategy later 19:12:17 <sc68cal> Ok. let me noodle on it a bit more - I think if we make it more clear what it will do - API interaction wise, i'll be more happy with leaving it in 19:12:47 <sc68cal> and let me re-read badveli 's spec - the link to it might satisfy me 19:13:00 <badveli> sc68cal: let me know if you have questions 19:13:02 <badveli> thanks 19:13:05 <mickeys> I am unclear where are ending up. Leave service group as is, but clarify the reference? Define it completely in the spec? Take it out? 19:13:19 <sc68cal> mickeys: leave it in, and give me a link over to badveli's spec in the notes 19:13:29 <badveli> +1 19:13:36 <xgerman> understood 19:13:41 <mickeys> Reference the Kilo version? 19:13:49 <mickeys> badveli: Any plans to resubmit for Mitaka? 19:14:01 <badveli> yes i am doing it 19:14:05 <sc68cal> I think this will work - if this is the most up to date - http://specs.openstack.org/openstack/neutron-specs/specs/juno/service-group 19:14:21 <xgerman> yeah, specs usually just roll forward... 19:14:21 <mickeys> There is a kilo spec 19:14:30 <badveli> https://review.openstack.org/#/c/131596 19:14:35 <SridarK> i think we can use the kilo spec 19:14:53 <SridarK> badveli: u will need to clean this up and resubmit ? 19:15:02 <sc68cal> ok then use http://specs.openstack.org/openstack/neutron-specs/specs/kilo/service-group.html 19:15:15 <xgerman> yep 19:15:18 <badveli> yes, should we add the notion of L7 19:15:19 <mickeys> +1 19:15:23 <mickeys> Not yet 19:16:29 <badveli> will it be ok to resubmitt before our API spec gets approved? 19:16:59 <sc68cal> let's use a HTTP link to the rendered HTML - if your spec gets approved for mitaka we can always update the link 19:17:08 <sc68cal> to point to the new URL 19:17:46 <sc68cal> from the firewall side there isn't any difference - since we're just storing a UUID 19:17:54 <xgerman> +@ 19:17:56 <xgerman> +1 19:18:18 <mickeys> +1 19:18:21 <badveli> ok thanks. 19:18:22 <SridarK> yes it is a resource we refer to 19:18:23 <sc68cal> ok, we've got about 10 minutes left - xgerman - midcycle? 19:18:26 <SridarK> so +1 19:18:36 <xgerman> #topic midcycle 19:18:43 <sc68cal> sorry I didn't add you as chair 19:18:44 <sc68cal> #topic midcycle 19:18:48 <xgerman> #link https://etherpad.openstack.org/p/lbaas-mitaka-midcycle 19:18:59 <xgerman> so dougwig likes to colocate with LBaaS 19:19:15 <xgerman> they picked 1/13-1/16 as potential dates 19:19:29 <xgerman> would they work for you guys? 19:19:43 * sc68cal checks 19:19:46 <s3wong> 1/16 is a Saturday? 19:19:51 <xgerman> really? 19:20:21 <s3wong> yep 19:20:41 <sc68cal> so 1/12 to 1/15? 19:20:50 <xgerman> would be fine by me 19:21:12 <sc68cal> works for me too 19:21:14 <jwarendt> works 19:21:19 <xgerman> awesome 19:21:27 <mickeys> No conflicts for me 19:21:30 <sc68cal> is the Idaho option - dougwig 's house? 19:21:45 <xgerman> might be some hunting cottage 19:21:59 <mickeys> Idaho in January? That wouldn't be Sun Valley, would it? :-) 19:22:15 <sc68cal> what's seattle like in jan? 19:22:16 <SridarK> Brr!! 19:22:21 <xgerman> nope, I think Seattle and San Antonio are more realistic options 19:22:33 <SridarK> +1 19:22:46 <sc68cal> lol "somewhere new" crossed out 19:22:54 <s3wong> like any other months, raining :-) 19:23:45 <sc68cal> I think whichever is easiest to organize and host 19:24:07 <sc68cal> san antonio weather probably is better than SEA, but i'm not picky 19:24:26 <xgerman> yeah, big concern from Doug is that we go to Seattle each time but... 19:24:32 * sc68cal sneaks over to mountains to snowboard after midcycle 19:24:57 <SridarK> i always welcome u too the bay area 19:25:08 <jwarendt> xgerman cannot fit us all in San Diego unfortunately if chasing good weather. 19:25:26 <s3wong> sunny California! 19:25:43 <xgerman> I can probably work something out but there are also budgetary constraints 19:26:22 <vishwanathj> Which company will host in San Antonio, will that be rackspace? 19:26:31 <xgerman> yep 19:26:57 <xgerman> there is a lot of travel budget thinling behind locations 19:28:28 <xgerman> ok, I guess we are good 19:28:34 <xgerman> please vote on location 19:29:12 <xgerman> and I think we are done for today ;-) 19:29:23 <vishwanathj> bye all 19:29:23 <sc68cal> yup 19:29:26 <sc68cal> bye all 19:29:27 <SridarK> bye all 19:29:27 <vichoward_> o/ 19:29:29 <mickeys> bye 19:29:31 <sc68cal> #endmeeting