18:01:24 #startmeeting networking_policy 18:01:24 Meeting started Thu Mar 19 18:01:24 2015 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:28 The meeting name has been set to 'networking_policy' 18:01:45 hi 18:01:52 #info agenda https://wiki.openstack.org/wiki/Meetings/GroupBasedPolicy#March_19th.2C_12th_2015 18:02:18 #info kilo-2 was released as planned: #link http://lists.openstack.org/pipermail/openstack-dev/2015-March/059236.html 18:02:43 things which did not make it into kilo-2 now moved to kilo-3 18:02:56 #info kilo-3 deadline is April 15th 18:03:09 so we are the real business end of the release now! ;-) 18:04:04 we also had the PTL elections (per project requirements), and the results were declarded: #link http://lists.openstack.org/pipermail/openstack-dev/2015-March/059317.html 18:04:17 thanks to malini for shepherding the elections 18:04:18 congrats SumitNaiksatam! 18:04:27 congrats! 18:04:39 rkukura: yi: thanks ;-) 18:04:40 Congrats SumitNaiksatam!! 18:04:43 mageshgv: thanks 18:04:51 so lets start with the standing agenda items 18:04:58 #topic Bugs 18:05:07 at least one critical bug this time: 18:05:15 #link https://bugs.launchpad.net/group-based-policy/+bug/1433530 18:05:16 Launchpad bug 1433530 in Group Based Policy "GBP Kilo release should be in sync with Neutron Kilo" [Critical,New] - Assigned to Magesh GV (magesh-gv) 18:05:26 hi 18:05:34 we have known this for a while, so mageshgv thanks for jumping on this 18:06:03 #link https://review.openstack.org/165377 18:07:25 i agree with ivar-lazzaro’s comment there, that should be added right away so that we can catch all other issues with the neutron integration at least at the UT level 18:07:55 mageshgv: are you comfortable with this or is it blowing up into too many changes? 18:08:28 SumitNaiksatam: It looks pretty straight forward for the server 18:08:36 mageshgv: okay 18:09:16 on the client side also, there are similar oslo changes, and we should do that in parallel to bump up the neutron client dependency to 2.3.10 18:09:41 #link https://review.openstack.org/#/c/165378/ 18:09:44 mageshgv: i believe you need this for your floating IP support impl as well? 18:09:57 mageshgv: oh nice, sorry i did not catch that 18:09:57 The client has some tricky changes though 18:10:17 mageshgv: hmmm, ok 18:10:41 As for floating IP, I can post a WIP patch may be tomorrow 18:10:57 mageshgv: sweet, lets get to that in the specs discussion 18:11:32 ivar-lazzaro: you wanted to discuss: #link https://bugs.launchpad.net/group-based-policy/+bug/1432816 ? 18:11:33 Launchpad bug 1432816 in Group Based Policy "inconsistent template ownership during chain creation" [Undecided,New] - Assigned to Ivar Lazzaro (mmaleckk) 18:11:43 SumitNaiksatam: yep 18:12:07 To give a quick summary, the problem in on SC instance ownership 18:13:14 a chain can be triggered in many different ways... By someone providing a PRS, or consuming it 18:13:25 or even by an admin changing the PRS rules 18:13:40 ivar-lazzaro: true 18:13:52 Even though the intent is the same, the final state diverges depending on the user that triggers the chain 18:14:20 for example, suppose you have a shared PRS, and TenantA provides it 18:14:40 TenantB consuming it will trigger the chain, and TenantB will be the owner of the SC instance 18:15:13 However, if TenantB was previously consuming the chain, and then TenantA triggered the instance by providing the same PRS 18:15:24 ivar-lazzaro: mageshgv: shouldn’t the SC intance be always owned by admin (since its an internal artifact)? or does that cause issues with sharing due to associations with other resources? 18:15:37 In this case the SC instance (and the HEAT stacks) will be owned by tenantA 18:16:06 This becomes a problem when a given tenant starts the action, and another one do the opposite (eg. destroy the chain) 18:16:27 this would fail because the tenant triggering the destruction is not owning the chain 18:17:02 SumitNaiksatam: that's the question I want to bring up... who has to own the chain? 18:17:17 SumitNaiksatam: the admin? The provider? The consumer? 18:17:40 ivar-lazzaro: what's the difference between SFC case and other cases? 18:17:42 SumitNaiksatam: admin owning the SC instance does solve this issue. 18:17:46 in case of admin that would be a parent PRS with the SC, is that right? 18:18:06 hemanthravi: there is no PRS hierarchy issue here 18:18:23 Yi: that with SFC some heat stacks are created, and owned by a given tenant 18:18:32 ivar-lazzaro: the owner should not be the consumer IMO. It can be either the admin or the provider 18:18:41 Yi: and they cannot be destroyed unless the very same tenant triggers the disruption 18:18:48 mageshgv: I agree 18:19:28 mageshv: agree 18:19:32 hemanthravi: the issue is that we create service chain instances internally (triggered by some other user actions), and currently we dont consistently use the same tenant to create/modify the SC instance 18:19:43 The advantage of having the provider owning it is that he can go and modify manually the instances if available 18:19:59 ivar-lazzaro: true but that would be concern too, no? 18:20:04 But it will hit his/her quota (in the VM case for example) 18:20:49 The advantage of having the admin as the owner is that all the chains belong to the same place, but they won't be visible by the tenants 18:21:13 ivar-lazzaro: they can always be visible, right? 18:21:20 ivar-lazzaro, SumitNaiksatam: may be we can even consider something similar to this #link https://review.openstack.org/#/c/101281/ 18:21:30 SumitNaiksatam: no unless you share them 18:21:37 ivar-lazzaro: its just that the non-admin user wont be able to modify 18:21:53 ivar-lazzaro: true, or we could add another user 18:22:05 ivar-lazzaro: but we can't assume that admin always as owner of chain, right? 18:22:07 user -> role, i was going to mention that earlier 18:22:13 SumitNaiksatam: even in that case, providers and consumers won't be able to see the instances 18:22:15 ivar-lazzaro: but then the admin would need to pre-create all possible chains, right? 18:22:30 yapeng: it could be a configurable user 18:22:43 yapeng: this is chain instance that is internally created 18:22:44 yapeng: which is an Admin and which can create Heat templates 18:23:23 igordcard: hi, good to see you join the meeting - to your question, no, not required to pre-create 18:23:31 But there are other issues to consider, like how a VM (NFV) could be attached to one or more networks belonging to different tenant 18:23:52 ivar-lazzaro: here is my suggestion (dont mean to prolong the discussion) - 18:24:26 ivar-lazzaro: i think people need a little more time to think about this, so i believe this is an excellent topic to bring up on the -dev ML 18:24:40 SumitNaiksatam: +1 18:24:44 and we can have the discussion there and try to wrap this up in a couple of days, sound okay? 18:24:51 +1 18:24:58 SumitNaiksatam: +1 18:25:33 okay good, i believe ivar-lazzaro has given it the most thought, so i more inclined to go with his approach, but there are other groups working on similar problem, so lets see if we hear from them 18:25:59 ivar-lazzaro: mageshgv: igordcard yapeng Yi hemanthravi: thanks for your input on this 18:26:35 ivar-lazzaro: i bumped the other bug assigned to you to Critical (support for redirect in external policy) 18:26:45 ivar-lazzaro: but i believe you have that covered 18:26:52 SumitNaiksatam: thanks, there's already a patch there 18:27:03 which brings up another question actually 18:27:10 ivar-lazzaro: ah okay, #link https://review.openstack.org/164920 18:27:24 do we have time to discuss this? 18:27:30 as matter of sanity, we will discuss every critical bug in this meeting 18:27:32 ivar-lazzaro: yes 18:27:40 critical bug is show-stopper 18:27:41 ok 18:27:43 #link https://bugs.launchpad.net/group-based-policy/+bug/1432779 18:27:44 Launchpad bug 1432779 in Group Based Policy "redirect actions don't work with external policies" [Critical,Confirmed] - Assigned to Ivar Lazzaro (mmaleckk) 18:28:12 The quick summary is that chains are not triggered when one of the actors is an External Policy 18:28:35 which is obviously needed (ie. LB in front of Web access) 18:28:48 ivar-lazzaro: okay, i believe this was an oversight in the earlier integration between the external connectivity and service chaining? 18:29:00 SumitNaiksatam: yes 18:29:06 and it was discovered during recent integration testing 18:29:29 In my current implementation, a chain can only be consumed by an External Policy 18:29:29 ivar-lazzaro: thanks for catching that and jumping on it 18:30:10 when an external policy provides a chain, it's managed like a normal ALLOW action 18:30:11 just a friendly suggestion to everyone, please add “group-based-policy-core” to the reviewer’s list when you submit a patch 18:30:23 SumitNaiksatam: woops 18:30:26 ivar-lazzaro: right 18:30:59 once you add that alias, all cores will get automatically added and it will show on the review dashboards 18:31:02 SumitNaiksatam: ahh, thanks 18:31:06 ivar-lazzaro: sorry did not mean to interrupt 18:31:17 I was wondering if there are any use cases for which we want to enable chaining also on a EP *providing* a PRS 18:31:25 SumitNaiksatam: np, that was a good observation 18:32:52 ivar-lazzaro: but seems like you have this covered 18:33:08 I don't see an EP providing a Load Balancer for instance... But I can see it providing an IDS 18:33:11 ivar-lazzaro: good question, i have not thought through that 18:33:34 ivar-lazzaro: not sure about IDS, i think hemanthravi might have more insight here 18:33:48 ivar-lazzaro: but i would suggest that this is also a great question for the -dev ML 18:34:04 ivar-lazzaro: why no LB? 18:34:35 Yi: well, the external policy is the rest of the world, Who are the members of the load balancer in that case? 18:35:21 Yi: in the RMD case, the porta on the External Network are usually router interfaces 18:35:24 ivar: In case the EP is for provider resources such as a logging service, etc the IDS might not be required 18:35:41 if service chaining evolves to support other kinds of services, even provided by VMs, it may make sense for future use cases to have chaining on provider EPs.. 18:35:53 hemanthravi: good point, “logging service” seems like a good example 18:36:01 igordcard: +1 18:36:03 hemanthravi: logging seems a good case 18:36:24 ivar-lazzaro: lets take this to the ML as well ;-) 18:36:35 ivar-lazzaro: sorry, dont mean to delay things 18:36:44 roger that 18:36:45 ivar-lazzaro: but good to have broader discussion 18:37:05 don't think we need to support SC for EP provider at this time 18:37:07 SumitNaiksatam: it makes sense to me, it's a great help for making decisions 18:37:17 ivar-lazzaro: okay 18:37:18 SumitNaiksatam: the more use cases people have in mind, the better 18:37:41 hemanthravi: okay, lets chime in on the ML (ivar-lazzaro will send email and start the discussion) 18:37:52 any other bugs anyone wants to discuss? 18:38:31 #topic Functional/Integration Tests 18:38:44 #link https://review.openstack.org/#/c/161511 was approved 18:38:53 and then there was a follow up patch as well 18:39:29 anyway, summary is that we if you do a “check experimental” it will trigger a job from the openstack infra 18:39:52 the actual job that needs to be run is being configured in gate-hook that resides on teh GBP side: 18:40:00 #link https://review.openstack.org/#/c/161532 18:40:13 i am working on this part 18:40:35 apologies on the slower progress on this, i am learning by trial and error 18:40:44 is jishnu here? 18:41:13 he is working on adapting his test suite to be triggered from this gate job, would have been good to have his update 18:41:29 any questions on this? 18:42:06 we wil soon get to a point where we will require submitting some functional/integration tests with every new feature 18:42:10 and that is a good thing ;-) 18:42:50 if you have spare cycles please feel free to jump in on this activity (ping me offline) 18:43:03 #topic Packaging update 18:43:08 rkukura: over to you 18:43:47 sorry, i dont have the new release of the stable/juno yet 18:43:56 Now that we have a stable/juno update, I need to update the Fedora and RDO packaging. Should get to that over the next week or so. 18:44:11 SumitNaiksatam: I thought you did - sorry 18:44:27 forgot we were still trying to get the policy.json fix in 18:44:53 rkukura: yeah, i was exploring mageshgv’s comment 18:45:13 exploring -> investigating 18:45:21 mageshgv: i will catch up with you offline 18:45:39 #link https://review.openstack.org/#/c/165294/1/setup.cfg 18:45:44 SumitNaiksatam: okay, we can discuss on this offline 18:45:51 It would be great if we could use the policy_dirs approach rather than requiring manual merging of the files. 18:46:05 rkukura: that is not clear to me, but may be i am missing something 18:46:30 mageshgv: thanks for the suggestion though, since i was not even aware of this possibility 18:46:51 rkukura: thanks for the update 18:46:58 mageshgv: you said “this will cause issues” so I’m not assuming it possible - just that it would be nice 18:47:10 #topic GBP Project Proposal 18:47:21 #undo 18:47:22 Removing item from minutes: 18:48:12 Lets followup on the gerrit review 18:48:29 rkukura: okay 18:48:34 #topic GBP Project Proposal 18:48:42 we put the proposal in WIP 18:49:16 since we wanted to address the comments made - (1) PTL election, (2) gate that has more than just UTs 18:49:28 i believe we are past (1) now 18:49:47 once we sort out (2) (and we are getting closer on that), we will remove the WIP 18:50:09 just FYI - the TC meets every tuesday to discuss these type of things 18:50:29 and we need to request being on their agenda 4 business days prior to the meeting 18:50:46 so anyone has any thoughts/suggestions/comments on this please let me know 18:50:55 i am rushing here a little but since we have only 10 mins left 18:51:13 our favorite topic - 18:51:17 #topic Re-factor Group Based Policy with Neutron RESTful APIs 18:51:23 Yi: yapeng: over to you 18:51:47 sorry i havent reviewed the latest changes 18:52:14 how close are we to addressing the last round of review suggestions by ivar-lazzaro and rkukura? 18:52:39 we are wrapping up the UTs. I updated one patch and ready for review. 18:53:07 yapeng: #link https://review.openstack.org/159725 right? 18:53:17 Yes 18:53:23 okay 18:53:34 yapeng: Yi: any blockers? 18:53:50 SumitNaiksatam: on my side, I finished the mixin that Ivar suggested 18:53:57 Yi: sweet!! 18:54:07 but on patching the UT, I have some issues 18:54:08 nice 18:54:34 I have create_resource/update_resource/delete_resource patched 18:54:50 but got issue with get_resource and get_resources 18:55:09 1. for get_resource, or show_resource 18:55:37 it somehow cannot get along with the gbp plugin operations 18:56:10 ivar-lazzaro: can i request you to spare a few minutes to help Yi with this in #openstack-gbp after this meeting? 18:56:21 SumitNaiksatam: sure 18:56:26 for example, getting policy target would be fine if I patch the get_port through plugin call 18:56:38 ivar-lazzaro: thanks 18:56:50 but if I patch the get_port with WSGI, get_policy_target will fail 18:56:56 Yi: okay 18:57:16 Yi: seems like a slightly longer discussion, if you dont mind lets pick it up in #openstack-gbp immediately after this 18:57:24 SumitNaiksatam, ivar-lazzaro: that would be great. thanks! 18:57:41 Yi: nice, thanks for persistence on this! 18:57:58 #topic Floating IP support 18:58:00 #link https://review.openstack.org/157298 18:58:12 mageshgv: i believe you mentioned you will be posting a WIP tomorrow? 18:58:25 mageshgv: will you be updating the spec accordingly? 18:58:51 SumitNaiksatam: yes, I will post the patch tomorrow 18:59:27 once we go over the patch and see that the current approach makes sense at a high level, I can update the bp 19:00:04 mageshgv: okay, but we need to iterate quickly on this 19:00:37 mageshgv: lets identify a couple of point people (in terms of reviewers) that will work with you closely on this to move this forward 19:00:59 mageshgv: thanks for the update 19:01:04 SumitNaiksatam: yes, it should be faster to iterate now that we have a rough implementation 19:01:14 #topic Cross Project Liaisons 19:01:26 rkukura: stepped up for being a liaison for Oslo and Nova 19:01:52 we are still looking for liaisons for other projects, with Keystone and Neutron being a priority 19:01:55 nothing to report yet though 19:01:57 please ping me if you would like to 19:02:02 rkukura: thanks! 19:02:19 #topic Open Discussion 19:02:24 we are two minutes over 19:02:35 anything we missed that you want to bring up? 19:03:27 kilo-3 is crunch time, so lets lock in our focus! ;-) 19:03:33 okay thanks everyone for attending today 19:03:40 bye 19:03:44 thanks SumitNaiksatam! 19:03:45 nye 19:03:47 bye 19:03:48 bye 19:03:48 bye 19:03:48 bye 19:03:52 #endmeeting