#openstack-meeting-3 log

16:02:02 <pc_m> #startmeeting vpnaas
16:02:03 <openstack> Meeting started Tue Aug 25 16:02:02 2015 UTC and is due to finish in 60 minutes.  The chair is pc_m. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:02:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:02:06 <openstack> The meeting name has been set to 'vpnaas'
16:02:12 <pc_m> #topic Announcements
16:03:04 <pc_m> The VPN devstack plugin is done, minor snag on upstreaming (a neutron change broke VPN and so I had to rebase/resubmit).
16:03:40 <pc_m> I split the model from the database logic, so that we can support new models being developed.
16:04:10 <pc_m> #link https://review.openstack.org/#/c/216248/
16:05:08 <pc_m> I've been working on endpoint groups implementation. Have 2/3 of it done, but there is a snag with how to handle backwards compatibility so discussing with salv-orlando
16:05:53 <pc_m> Using the VPN devstack plugin for neutronclient also has a snag, and need to determine how to handle jobs.
16:06:11 <pc_m> Sent email to ML and need to discuss with mestery and dougwig
16:06:58 <pc_m> There are several people tackling some things right now... MTU support, Rally scenario tests, and VPN API migration.
16:07:27 <pc_m> Please help out with reviews on all pending items so we can get them into L-3 (or as soon as possible).
16:07:34 <pc_m> Any other announcements?
16:07:50 <ajmiller> pc_m: one quick one
16:07:57 <pc_m> shoot...
16:09:01 <ajmiller> We did an security review of VPNaaS, found a couple of minor issues, one we sort of discussed last week.  The other I submitted a bug report about last night, and the security team decided it is OK to fix in public, it isn't horribly serious
16:09:08 <ajmiller> https://bugs.launchpad.net/neutron/+bug/1488320
16:09:08 <openstack> Launchpad bug 1488320 in neutron "neutron-vpnaas uses bad file permissions on PSK file" [Undecided,New]
16:09:31 <ajmiller> I have patches to neutron and neutron-vpnaas for this.  The PSK file is world-readable inside the network node.
16:09:51 <pc_m> ouch
16:09:59 <ajmiller> yeah
16:10:06 <pc_m> The root ownership is OK?
16:10:14 <pc_m> for processes?
16:10:45 <ajmiller> yes, that is OK.  The ipsec pluto processes are only listening on internal control plane networks unti a VPN connection is established.
16:11:14 <ajmiller> At that point it is listening to the SNAT, but that is standard openswan behavior, nothing specific to VPNaaS
16:11:44 <pc_m> great
16:11:45 <ajmiller> StronSwan is the wave of the future.  And users have the option of using external, hardware-based VPNs
16:11:53 <pc_m> Thanks for digging into this.
16:12:40 <pc_m> Yeah, the goal is to have StrongSwan as the default ref. impl.
16:13:16 <pc_m> With MTU some issues were found. Openswan supports per connection (as do other drivers). Strongswan supports per service.
16:14:28 <pc_m> Which would imply a conflicting API change needed to support. I suggested as a short term solution, to just enforce (via validation) that all connections on a service use the same MTU for SSwan driver.
16:15:34 <madhu_ak> I would like to have infra folks from neutron to review infra patch #link: https://review.openstack.org/#/c/211767/ to move forward with VPN API migration
16:18:01 <pc_m> madhu_ak: You'll want to talk to dougwig about his -1. He's the I/F with infra, so we should get his buy in first.
16:18:26 <pc_m> Any other announcements?
16:18:31 <madhu_ak> sure
16:19:12 <pc_m> #topic Endpoint Groups
16:20:17 <pc_m> Just to bring people up to speed. This involves a change to the existing API. The initial thought was that we could try to do this with existing v2 API and not have a backward incompatible change, as few were using the APIs.
16:20:55 <pc_m> However, there are two operators who are using the API in production and they'd like backward compatibility. I'm in discussions to see how to best handle that.
16:21:11 <pc_m> I'll update the patchset, once that is resolved.
16:21:32 <pc_m> Beyond that, I need to do update API, and validation and the endpoint groups part is done and ready for review.
16:22:47 <pc_m> Would love to see people look over the code (https://review.openstack.org/#/c/212692/), and also to look at the dev ref doc (https://review.openstack.org/#/c/191944)
16:23:03 <pc_m> Anything that we can iron out early will save time overall.
16:23:22 <pc_m> Plan is to then apply changes to do multiple local subnets (which operators want).
16:23:49 <pc_m> #topic VPN Functional Tests for Neutron commits
16:24:23 <pc_m> No activity on this. Need to figure out why neutron patchset is not being used in the test run. Haven't had any time to pursue.
16:24:47 <pc_m> #topic Bugs and Reviews
16:25:09 <pc_m> Please look at the bugs http://bit.ly/1PwD6bi and help out if you can.
16:25:42 <pc_m> Reviews are here:  https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z and could use reviewers so that we have a better chance of getting cores to approve.
16:25:54 <pc_m> Anyone have specific bugs to discuss?
16:27:09 <pc_m> #topic Open Discussion
16:27:24 <pc_m> Anyone have anything to discuss related to VPNaaS?
16:27:50 <ajmiller> I don't have anything more, and have another meeting now.
16:28:02 <pc_m> Please do help out with reviews, so that we can get commits through.
16:28:07 <ajmiller> Will do
16:28:24 <pc_m> OK. Will give back 30 mins to everyone. Thanks for joining!
16:28:39 <pc_m> #endmeeting