16:02:47 <rkukura> #startmeeting networking_ml2 16:02:48 <openstack> Meeting started Wed Jan 13 16:02:47 2016 UTC and is due to finish in 60 minutes. The chair is rkukura. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:02:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:02:51 <openstack> The meeting name has been set to 'networking_ml2' 16:03:01 <sadasu> Hello! 16:03:13 <rkukura> #topic Agenda 16:03:46 <rkukura> #link https://wiki.openstack.org/wiki/Meetings/ML2#Meeting_January_13.2C_2016 16:04:03 <rkukura> Anything to add to the agenda today? 16:04:27 <rkukura> #topic Announcements 16:04:40 <rkukura> Only announcement I have is that M2 is next week 16:04:43 <rkukura> Anything else? 16:06:08 <rkukura> #topic Driver API for SecurityGroup 16:06:54 <rkukura> yalie: Can you update us on the status of this? 16:07:26 <yalie> rkukura: yes, from the discussion last week, we will work on it in next N 16:07:49 <Sukhdev> There was an action for rkukura and yalie to update the bug to get the closure for M release 16:08:08 <yalie> rkukura: so how to deal with the RFE bug now? 16:08:28 <yalie> Sukhdev: yes 16:09:11 <rkukura> I see active review on https://review.openstack.org/#/c/252755/, which adds the precommit events. Is that going into M? 16:09:31 <Sukhdev> rkukura, yalie: you may want to reply to armax's comment on the bug 16:09:53 <rkukura> Sukhdev: Yes, I plan to but just have not got to it 16:10:09 <yalie> rkukura: yes, that review is split from the RFE, and RFE will focus on only the enforcement 16:10:20 <Sukhdev> rkukura : no worries 16:10:21 <rkukura> OK 16:10:41 <rkukura> anything else on this right now? 16:10:46 <yalie> rkukura: that review for the precommit event goes well 16:11:19 <rkukura> yes, I looked at it briefly and it seems in pretty good shape 16:11:42 <rkukura> #topic limited-portsec implementation 16:12:22 <yalie> limited-portsec has a new implementation in the last week. 16:12:26 <rkukura> yalie: Also looks like good progress on https://review.openstack.org/#/c/250036/ since last week 16:12:50 <rkukura> any issues to discuss? 16:13:02 <yalie> rkukura: still issue left. 16:13:35 <rkukura> yalie: Can you summarize the issue? 16:13:46 <yalie> rkukura: the plugin still can not get the ability of supporting limit-portsec clearly 16:14:31 <yalie> now, I add the attr in portsec db, if the pulgin inherit the db class, it could call directly. 16:15:04 <yalie> but for extension in ML2, it only see portsec, and plugin could not call the db verification function 16:15:58 <yalie> the plugin can not know if it support limit-portsec or not. 16:16:28 <rkukura> yalie: Why does ML2 itself need to know if limit-portsec is enabled? 16:17:16 <rkukura> Or does it need to be configurable? 16:17:25 <yalie> I just think maybe user want to get this ability 16:18:04 <rkukura> yalie: Do you mean like querying whether an extension is supported? 16:18:09 <yalie> yes, rkukura 16:18:27 <yalie> querying whether it is supported 16:19:02 <rkukura> I guess that’s an argument for treating this as a separate extension rather than part of the portsec extension 16:19:13 <yalie> because implement it in the same extension, now user only see port-sec extention. 16:19:27 <yalie> yes 16:20:03 <rkukura> would it make sense to have two seperate extensions, but both implemented by the same DB mix-in class? 16:21:47 <yalie> that would make the current create to be 'update', because the same row maybe has been created by another one because of order in extentsion call list 16:22:42 <yalie> implement it in the same extension just to avoid the dependency/order issue 16:23:39 <rkukura> I didn’t mean a separate extension driver necessarily, just a separate extension that can be queried 16:24:19 <yalie> sepearate extension showed in supported_ext_alias of plugin? 16:24:46 <rkukura> So limitied-portsecurity would extend portsecurity, but the DB mix-in class would implement both (depending on the flag) and the ML2 extension driver would handle both in terms of the DB mix-in. 16:24:51 <rkukura> yalie: yes 16:26:29 <yalie> oh maybe, I have not figure out it but we can discuss it offline 16:26:33 <rkukura> yalie: Has the querying of support for this been raised as an issue in the review? 16:27:21 <yalie> no, I just think of it's issue when I add the testcases. 16:27:28 <rkukura> yalie: OK, I’ll try to keep up with the review, but ping me on IRC or email if you’d like to discuss it 16:27:45 <rkukura> anything else on this topic? 16:28:03 <yalie> some plugin which support it or not check different return value. 16:28:08 <yalie> rkukura: thanks! 16:28:53 <yalie> rkukura: no more add 16:28:55 <rkukura> yalie: Is this something that some ML2 mechanism drivers would support, and others might not? 16:30:47 <yalie> rkukura: no, I want the test verify different value based on the plugin support it or not. like if plugin don't support, maybe the value filled with 'not-support' 16:31:08 <sadasu> yalie: I haven't been keeping up with the review 16:31:45 <yalie> sadasu: just my own thought, maybe it's not a problem. 16:31:46 <sadasu> but the cisco ucsm mech driver can operate in 2 modes 16:32:20 <yalie> sadasu: which 2 modes? 16:32:20 <sadasu> port-security would not be supported when the mech driver is dealing with a SR-IOV port 16:32:41 <sadasu> and would support it (possibly) if it is a virtio port 16:32:49 <sadasu> how can we take care of that case? 16:34:07 <yalie> sadasu: thanks, does that a kind of usecase of enforcement? rkukura 16:34:20 <rkukura> yalie: I was just typing the same thing 16:34:43 <sadasu> sorry, didn't get the question! 16:34:51 <yalie> rkukura: yeah 16:35:15 <sadasu> ok, that was a question for rkukura 16:35:38 <yalie> sadasu: we are thinking if this case is one kind of usecase for this : https://bugs.launchpad.net/neutron/+bug/1518087 16:35:39 <openstack> Launchpad bug 1518087 in neutron "[RFE] Method to guarantee that at least one mechanism driver implements security groups" [Wishlist,Won't fix] - Assigned to yalei wang (yalei-wang) 16:36:06 <Sukhdev> sadasu: when you say virtio port, you include trunk port as well? 16:36:21 <rkukura> We had previously been discussing yalie’s BP for enforcing SGs, which I’ve previously suggested is a more general issue for various extensions, not just SGs 16:37:55 <yalie> sadasu: when your mech driver works in mode which don't support portsec, does that mean portsec is false all the time and read-only 16:37:57 <sadasu> Sukhdev: in my case not trunk ports, just neutron virtual ports assigned to VMs 16:38:33 <yalie> sadasu: or just no this extension 16:38:40 <rkukura> In general, when we have a deployment with a mix of different mechanism drivers, what do we want to happen when the semantics required by the user’s extension values cannot be provided with certain possible bindings? Should port binding fail? Should nova scheduling take this into account somehow? 16:38:57 <sadasu> well, that mode is not a config time setting, it is based on what port type is being created/updated 16:39:25 <sadasu> rkukura: thanks for framing my question in a more generic way 16:40:23 <scheuran> sadasu, regarding sriov: the sriov agent only supports the noopfirewall driver for sec groups (it was implemented like it would support sec groups). But it has some anti spoofing support which can be enabled. not sure in which area the port security thing goes 16:40:59 <scheuran> sadasu, also with sriov virtual ports (macvtap) there's no way to implement sec groups at the moment 16:43:17 <scheuran> sadasu, oh my statement was about the sriov agent, not the cisco ucsm... 16:43:28 <sadasu> scheuran: agreed, thats why I want my mech driver to have the option of not supporting sec groups for some port types and support it for others 16:44:23 <sadasu> I think the design is currently going in the direction where the entire mech driver says it can support sec group or not almost at init time 16:44:47 <yalie> sadasu: agree 16:45:15 <rkukura> sadasu: Even if that is the case for one mech driver, what if one supports sec group and another doesn’t? We don’t handle that right now. 16:45:58 <sadasu> can we keep it at a more granular level? say at the level of ports instead? 16:46:19 <sadasu> rkukura: agreed. we need to take care of that too 16:47:21 <yalie> at least mech driver need provide the info that whether and when it support SG/extesnion or not 16:47:44 <sadasu> yalie: agreed. 16:48:44 <rkukura> I’m not sure its a question of whether or not the MD(s) support the extension, its whether they can provide the semantics required by the extension’s values 16:49:33 <sadasu> rkukura: +1. yes, that is a more accurate description 16:49:45 <yalie> rkukura: yes 16:50:11 <rkukura> Seems this topic will be a good one to discuss in Austin, hopefully with one or more concrete proposals. 16:51:34 <rkukura> #topic Open Discussion 16:51:35 <sadasu> rkukura:+1 16:51:43 <yalie> rkukura: +1 16:52:06 <rkukura> We’ve got about 8 minutes left - anything else to discuss? 16:52:06 <scheuran> a short thing regarding modular l2 agent (sorry if I missed that before) 16:52:22 <rkukura> scheuran: go right ahead... 16:52:44 <scheuran> all the smaller patchsets got merged, now it's time to make the "big" split off 16:52:48 <scheuran> https://review.openstack.org/#/c/246318 16:53:13 <scheuran> any input would be helpful! 16:53:31 <rkukura> scheuran: great work! 16:53:44 <scheuran> If I got armax right, we need to make mitaka2, otherwise it will move out 16:53:52 <scheuran> but I need to clarify this again 16:54:36 <Sukhdev> scheuran : M2 is next week - but, it can go into M3 16:54:38 <rkukura> The patch isn’t that “big” :) 16:54:49 <Sukhdev> so, there is time 16:54:54 <scheuran> that would be great 16:55:21 <scheuran> armax just dropped a note that it is in risk..so I was thinking if he meant the m2 as deadline... 16:55:27 <rkukura> Lets see if we can get it in M2, just to be safe. 16:55:30 <scheuran> it = the blueprint 16:55:40 <armax> scheuran: I didn’t mean that it must make M2 16:55:57 <rkukura> armax: Thanks! 16:56:01 <armax> scheuran: but that we simply gotta get on with it :) 16:56:09 <scheuran> armax, great news, thanks! 16:56:31 <rkukura> 4 minutes left - anything else? 16:56:33 <armax> scheuran: I’ll look at the patch you pointed me asap 16:56:43 <Sukhdev> scheuran : so, relax, you have time :-):-) 16:56:44 <armax> hopefully by the end of the day 16:56:50 <armax> Sukhdev: no! 16:57:05 <armax> Sukhdev: gotta work under the assumption that time has run out already! 16:57:06 <scheuran> armax, thank you. any input helps to make progress... 16:57:29 <Sukhdev> armax : got it 16:57:47 <rkukura> Sukhdev: Where do we stand on the adding network ID to type driver calls patch? 16:58:26 <Sukhdev> rkukura : there was a patch pushed - armax and kevinbenton provided some great feedback 16:58:53 <rkukura> Sukhdev: Saw that, but am not clear if its going forward or not 16:59:04 <armax> I thought the idea was shelved, based on the lack of feeback from the submitter 16:59:27 <Sukhdev> rkukura : No - we are considering dropping it - we figured out another way to deal with this 17:00:04 <Sukhdev> armax : correct - we came up with an alternative, which will take care of it 17:00:05 <rkukura> OK, thanks. If that’s the case, might make sense to abandon it so reviewers ignore it 17:00:24 <armax> Sukhdev: so should the bug/patch be abandoned? 17:00:25 <rkukura> Or switch to WIP 17:00:42 <Sukhdev> rkukura : yes, will abandon it or will WIP on it 17:00:55 <rkukura> we are out if time! 17:01:00 <rkukura> Thanks evevyone! 17:01:05 <rkukura> #endmeeting