#openstack-meeting-alt log

16:01:01 <Sukhdev> #startmeeting networking_ml2
16:01:03 <openstack> Meeting started Wed Aug 19 16:01:01 2015 UTC and is due to finish in 60 minutes.  The chair is Sukhdev. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:06 <openstack> The meeting name has been set to 'networking_ml2'
16:01:27 <Sukhdev> Welcome to the ML2 weekly meeting
16:01:37 <Sukhdev> #topic: Agenda
16:01:42 <Sukhdev> #link: https://wiki.openstack.org/wiki/Meetings/ML2
16:02:09 <Sukhdev> #topic: Announcements
16:02:31 <Sukhdev> The FF for liberty is fast approaching - so, be watchfu
16:02:35 <Sukhdev> watchful
16:03:15 <Sukhdev> I do not have any other announcements - does anybody else have any?
16:03:36 <rkukura> I’m hoping to finsh up the DVR code/schema cleanup patches before FF, and would appreciate reviews when ready
16:04:09 <Sukhdev> rkukura: let us know when you push the patches
16:04:26 <rkukura> Sukhdev: OK, thanks
16:04:57 <Sukhdev> #topic: Action Items from pervious weeks
16:05:36 <Sukhdev> there was an action item for rkukura and Sukhdev to organize the agenda around the summits/release
16:06:08 <Sukhdev> rkukura: do you have any thoughts around it?
16:06:22 <rkukura> haven’t had a chance to work on it
16:06:30 <Sukhdev> Did you mean to include Mitaka release as well summit related agenda
16:07:37 <rkukura> I was just thinking we’d track whatever goals for mitaka we are working on, such as the async stuff, etc.
16:07:37 <Sukhdev> OK - lets discuss this off-line
16:08:05 <Sukhdev> rkukura: Oh I see - we already have that on the agenda
16:08:10 <rkukura> you’ve got all this covered in this weeks, I think
16:09:42 <Sukhdev> There is another action item - to finalize the plans for late-cycle sprint
16:10:06 <Sukhdev> rkukura: have you had a chance to follow up with the others to nail down the logictics?
16:10:18 <Sukhdev> so that folks can plan accordingly
16:10:45 <rkukura> not yet, sorry - I’ll get on that this week
16:11:04 <Sukhdev> rkukura: good - thanks
16:11:31 <Sukhdev> anybody has anything to add to this?
16:12:01 <Sukhdev> #topic: L3 Blueprints -
16:12:11 <Sukhdev> This is as an FYI on the agenda
16:12:34 <Sukhdev> #link: https://launchpad.net/neutron/+milestone/liberty-3
16:12:59 <Sukhdev> there are few ML2 related Bps in the list
16:13:23 <Sukhdev> feel free to review/follow up with the authors
16:14:13 <Sukhdev> since shivharris and asoumya are not here, I am going to skip over the physical topology discussion
16:14:35 <Sukhdev> rkukura: have you heard any progress from Arvind? '
16:15:05 <rkukura> no - I think I was supposed to contact him, but haven’t - will this week
16:15:07 <Sukhdev> he mentioned they were planning on making a submittal for Tokyo summit
16:15:31 <Sukhdev> OK - in that case, lets move along with the agenda
16:15:52 <Sukhdev> #topic: driver API for SecurityGroup
16:16:27 <yamamoto> i added it
16:16:42 <Sukhdev> yamamoto: yes, please take the stage -
16:17:29 <yamamoto> ml2 assumes rpc/agent-based security group implementatin and the md interface lacks relevant operations.
16:17:44 <yamamoto> https://bugs.launchpad.net/neutron/+bug/1444112
16:17:44 <openstack> Launchpad bug 1444112 in networking-odl "ML2 security groups only work with agent drivers" [High,In progress] - Assigned to Kyle Mestery (mestery)
16:18:12 <yamamoto> it's workarounded by using callbacks.
16:18:33 <yamamoto> but it's nicer to have more proper md interface for sg.
16:18:39 <yamamoto> how do you think?
16:19:26 <Sukhdev> yamamoto: would you like to see a more like a two-way handshake based interface?
16:20:31 <yamamoto> sure, usual pre/postcommit api would be good, at least for consistent reasons.
16:20:33 <rkukura> yamahata: I think SG flexibiltiy for MDs should be a goal for mitaka
16:21:33 <rkukura> This is an interesting case where we need to guarantee that at least one MD is enforcing the SGs for every port binding, even with hierarchical bindings and heterogeneous deployments.
16:22:02 <rkukura> It also may be worth thinking about whether this needs a SG-specific mechanism, or something more general that could do the same for other extensions.
16:23:19 <Sukhdev> shall we consider proposing a design session in Tokyo for this?
16:24:31 <Sukhdev> yamamoto: do you have any thought around it?
16:24:40 <rkukura> Sukhdev: I’m in favor of that, but it would be most valuable if there were a concrete proposal to discuss.
16:25:10 <yamamoto> sure.  i don't have a concrete proposal.  just "wondering".
16:26:01 <yamamoto> rkukura: do you have any example of other extensions?
16:26:08 <Sukhdev> yamamoto: why don't we take an action to think about it and see what can we come up with?
16:26:53 <rkukura> yamamoto: I think QoS and port security are both implemented as extension drivers in ML2. Not sure if QoS involves agent RPCs.
16:27:46 <yamamoto> currently extension drivers can merely add attributes to core resources, right?
16:28:00 <yamamoto> ie. not new CRUD ops
16:28:09 <rkukura> yamamoto: right - new resources require service plugins
16:29:40 <rkukura> We’ve talked a bit about enforcing semantics for extension drivers (as followup work to what’s there now), and maybe this is similar but for other resources.
16:30:22 <yamamoto> rkukura: sg vs address-pairs vs port-sec thing?
16:31:34 <Sukhdev> so, how is the front-end implemented for security-group CRUD operations?
16:32:06 <rkukura> Port security just extends core resources, but SGs are separate resources. I think QoS does both. I’d like to come up with a scheme where ML2 port binding ensures the semantics required by the values of these sorts of extensions are provided.
16:32:30 <yamamoto> Sukhdev: front-end?
16:33:00 <Sukhdev> yamamoto: I mean who implements the security-group CLI?
16:33:52 <rkukura> I think the SG API and DB layers are built into neutron, aren’t they?
16:34:07 <yamamoto> Sukhdev: are you talking about python-neutronclient etc?
16:34:32 <yamamoto> rkukura: yes they are
16:34:59 <Sukhdev> yamamoto: the next layer - down from python-neutronclient - i.e. is it processed by a service plugin or who?
16:36:57 <yamamoto> Sukhdev: it's handled by plugins like ml2.  ml2 currently just passes them to securitygroups_db though.
16:37:32 <Sukhdev> I am thinking that may be the point to look into perhaps figure out a way to tie it into ML2 core plugin
16:38:08 <rkukura> Does the ML2 core plugin actually handle CRUD for SG APIs? I thought these were separate.
16:38:33 <yamamoto> my understanding is ml2 -> SecurityGroupServerRpcMixin -> SecurityGroupDbMixin
16:38:48 <Sukhdev> rkukura: that is the answer I am looking for :-)
16:39:01 <rkukura> OK, was just tracking that down
16:39:29 <rkukura> So ML2 could intercept these calls and call the MDs during precommit and/or postcommit
16:40:04 <Sukhdev> rkukura: yup - that is the way I am thinking - hence, was asking those questions
16:40:54 <Sukhdev> that will give yamamoto what he is looking for - however, this will require some investtigation
16:41:13 <rkukura> So that would provide a cleaner way for MDs to observe the SG CRUD operations that using the notifications, but it doesn’t address ensuring that SGs are being properly enforced.
16:44:08 <yamamoto> isn't it reasonable to say an MD which has leaf binding of the port is responsible to enforce SG?
16:45:07 <Sukhdev> yamamoto: perhaps
16:47:16 <Sukhdev> I think it is worth thinking through -
16:48:05 <Sukhdev> perhaps we can discuss it further next week and have some more ideas and see if we build a reasonable proposal that make sense to present at design summit?
16:48:09 <Sukhdev> does it make sense?
16:48:55 <yamamoto> and ideally rpc stuff should be moved out from core ml2.   probably into an MD like l2pop?
16:48:59 <yamamoto> Sukhdev: sure
16:50:16 <Sukhdev> yamamoto: I'll keep this on agenda for next week. would you be willing to lead this topic next week?
16:50:28 <yamamoto> Sukhdev: sure
16:50:39 <rkukura> its not always the bottom-most MD - SGs might be enforced in a switch
16:51:15 <yamamoto> rkukura: is there such a implementation?
16:51:34 <Sukhdev> rkukura: are you sure about it? how would you deal with the VM migrations then?
16:51:54 <rkukura> Cisco APIC does this
16:52:16 <yamamoto> it's interesting.
16:52:36 <yamamoto> anyway let's move on.  <10 mins left.
16:52:47 <rkukura> Or can do it, there is also the opflex agent on the host that can enforce policy, but that should be optional
16:54:06 <Sukhdev> rkukura: I guess as long as at least one MD enforces it (kind of like at least one MD has to bind the port) - perhaps that might do it
16:54:27 <Sukhdev> moving right along -
16:54:31 <rkukura> Sukhdev: agreed
16:54:54 <Sukhdev> #topic: modular l2 agent & macvtap
16:55:20 <Sukhdev> scheuran is not here - but, he has posted the summary on the agenda
16:55:31 <Sukhdev> I hope everybody has had a chance to review it -
16:55:58 <Sukhdev> I kind of like their approach
16:56:29 <Sukhdev> since scheuran is not here, do not know if there is anything we want to discuss
16:56:42 <Sukhdev> #link: https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bug/1468803,n,z
16:57:09 <Sukhdev> review the patches posted by the above link
16:57:17 <Sukhdev> anything else on this topic?
16:57:28 <Sukhdev> #topic: Open Discussion
16:57:46 <Sukhdev> We managed to get to Open Discussion without running out of time :-)
16:57:55 <yamahata> hello. regarding to ML2 plugin sync, is there PoC code? or document only?
16:58:00 <yamahata> I mean https://docs.google.com/document/d/17fATwZkJEonH0pIb1-mPD0UB5RKnJzcHYqkBesJhirE/edit?pli=1
16:58:19 <Sukhdev> yamahata: there is POC code available
16:58:33 <yamahata> Very cool. link? I couldn:t find it.
16:58:34 <Sukhdev> yamahata: I reviewed it a while back
16:58:44 * Sukhdev looking
16:58:58 <yamahata> btw, I could find task flow patch.
16:59:21 <rkukura> https://review.openstack.org/#/c/154333/
17:00:05 <Sukhdev> rkukura: thanks you beat me to it :-)
17:00:20 <yamahata> thanks.
17:00:27 <rkukura> Just searched our massive agenda page ;)
17:00:31 <Sukhdev> yamahata: will you be joining us for the sprint?
17:00:47 <yamahata> I'm planning to do so.
17:00:54 <yamahata> Should I register myself at etherpad?
17:01:05 <rkukura> yamahata: yes, please
17:01:24 <Sukhdev> yamahata: great - please read the specs, the code, and reach out to rkukura, manishg or myself
17:01:26 <yamahata> rkukura: sure.
17:01:32 <Sukhdev> folks we are out of time
17:01:36 <Sukhdev> thanks for attending
17:01:40 <Sukhdev> bye
17:01:42 <yamamoto> bye
17:01:43 <rkukura> thanks Sukhdev!
17:01:44 <Sukhdev> #endmeeting