| *** lnicolas has quit IRC | 00:09 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 00:16 | |
| *** AlexeyAbashkin has quit IRC | 00:21 | |
| *** openstackgerrit has joined #openstack-fwaas | 00:24 | |
| openstackgerrit | Merged openstack/neutron-fwaas master: Updated from global requirements https://review.openstack.org/535026 | 00:24 |
|---|---|---|
| *** lnicolas has joined #openstack-fwaas | 00:25 | |
| *** reedip has quit IRC | 00:52 | |
| *** reedip has joined #openstack-fwaas | 00:54 | |
| *** annp has joined #openstack-fwaas | 02:28 | |
| openstackgerrit | Ghanshyam Mann proposed openstack/neutron-fwaas master: Shrink Tempest scenario manager copy https://review.openstack.org/506866 | 03:06 |
| *** annp has quit IRC | 03:29 | |
| *** bbzhao has quit IRC | 03:32 | |
| *** bbzhao has joined #openstack-fwaas | 03:38 | |
| *** annp has joined #openstack-fwaas | 03:47 | |
| *** annp has quit IRC | 04:28 | |
| *** annp has joined #openstack-fwaas | 04:28 | |
| *** chandanc has joined #openstack-fwaas | 05:27 | |
| *** SridarK has joined #openstack-fwaas | 05:27 | |
| *** yushiro has joined #openstack-fwaas | 05:29 | |
| *** amotoki has quit IRC | 06:03 | |
| *** amotoki has joined #openstack-fwaas | 06:04 | |
| chandanc | Hello annp | 06:16 |
| yushiro | pin xgerman_ | 06:19 |
| chandanc | Could you please verify the traffic drop for communication between ports in FWG to ports outside FWG with SG disabled | 06:19 |
| annp | hi chandanc, | 06:29 |
| annp | chandanc, have you tested with my case in your environment? | 06:30 |
| chandanc | annp: abit coughtup in office today, i will try it during night | 06:31 |
| yushiro | annp, chandanc : Hi. Sorry for last meeting. I'm OK now :) | 06:32 |
| annp | chandanc, Ok, no problem. | 06:32 |
| yushiro | Let me sync up with you for this issue regarding co-existing. | 06:32 |
| annp | yushiro, yes, let sync up | 06:33 |
| chandanc | brb in 5 mins | 06:33 |
| yushiro | sure chandanc | 06:34 |
| chandanc | back | 06:43 |
| yushiro | 1. fwg(OVS) + sg(OVS) | 06:44 |
| yushiro | 2. fwg(OVS) + sg(iptables_hybrid) | 06:44 |
| yushiro | 3. fwg(OVS) + sg(noop) We're talking about "2", right? | 06:44 |
| annp | I'm talking about use 2. | 06:44 |
| yushiro | Yes, and actually, we've targeted to support "1." for fwaas v2. | 06:45 |
| annp | Yes, But there can be a bug if user try to attach a hybrid port to FWG. | 06:46 |
| chandanc | annp what is the result of the test in 1 | 06:46 |
| yushiro | annp, I understood. | 06:46 |
| annp | Test1 is OK. | 06:46 |
| yushiro | I understood that chandanc found a bug in case of "2.". | 06:47 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: WIP: validate port in coexistence mode https://review.openstack.org/536234 | 06:47 |
| yushiro | I watched your patch and you're validating a specified port is 'iptables_hybrid' or 'openvswitch'. | 06:49 |
| annp | I just proposed the patch to prevent a hybird_port or linuxbridge port to fwg at https://review.openstack.org/536234 | 06:50 |
| annp | yushiro, yes, you're right. So I think we no need to check coexistence at Firewall L2 agent. | 06:51 |
| yushiro | annp, if mechanism_driver is 'iptables', what was the value of 'vif_details' for the port? | 06:52 |
| annp | yushiro, :) mechanism_driver is Openvswitch or LinuxBrigde | 06:53 |
| annp | vif_details is http://git.openstack.org/cgit/openstack/neutron/tree/neutron/plugins/ml2/drivers/openvswitch/mech_driver/mech_openvswitch.py#n53 | 06:54 |
| yushiro | oh, sorry. I wanted to talk about 'firewall_drivers' for security_group | 06:54 |
| yushiro | https://github.com/openstack/neutron/blob/master/setup.cfg#L157 | 06:54 |
| chandanc | annp are you saying that we will not support “2. fwg(OVS) + sg(iptables_hybrid)” combination ? | 06:55 |
| yushiro | There are 4 types: 'noop', 'iptables', 'iptables_hybrid', 'openvswitch' | 06:55 |
| annp | chandanc, yes, | 06:55 |
| chandanc | but this is the mmost common deployment | 06:55 |
| annp | But If we support that, the behavior of FWG can be break, at least it is not as user expected. | 06:57 |
| annp | except you've tested and it worked fine. | 06:57 |
| chandanc | hmm, i will surely run some test | 06:58 |
| chandanc | in my case both borts was part of FWG | 06:58 |
| chandanc | ports* | 06:58 |
| annp | chandanc, So please help to test my case in your environment. I'm afraid my environment not clean. | 06:59 |
| chandanc | Sure annp | 07:00 |
| chandanc | i will run some tests in the night | 07:00 |
| yushiro | Hmm, In order to support hybrid case correctly, we need to add 'iptables' driver for fwaas v2... Because the order of filtering is different due to structure. | 07:00 |
| annp | chandanc, thanks in advance. That's reason I put -1 in your patch :) | 07:00 |
| yushiro | Anyway, I'll try chandanc's step. | 07:01 |
| chandanc | annp: SURE LET ME CHECK AGAIN | 07:02 |
| chandanc | but did you figure out where the traffic was dropping | 07:02 |
| annp | yushiro, But I think in near future hybrid solution will be deprecated so I think we don't need to care much. | 07:02 |
| yushiro | annp, Yes, that is my honestly opinion too. We should indicate to a users as a WARNING / ERROR message. | 07:03 |
| annp | actually, I haven't figured out the issue yet. I've just tested with my case. Then I'm focusing to update my patch, because I think my solution is more clear to user. Do you think so? :) | 07:04 |
| annp | yushiro, +1 | 07:05 |
| yushiro | In my understanding, currently, Neutron supports mixtured environment both iptables_hybrid and openvswitch. | 07:05 |
| annp | yushiro, yep! | 07:06 |
| yushiro | And, WARNING means they can continue to operate/work. ERROR means they cannot continue to operate/work for this condition. | 07:08 |
| yushiro | If fwg(OVS) + sg(iptables_hybrid) doesn't work correctly and it is dangerous to keep on operating/working, it should be notified it as an ERROR. | 07:09 |
| annp | yushiro, +1. If we prevent attaching a port to fwg at API level, then we won't worry about coexistence mode. | 07:12 |
| yushiro | annp, Yes, but we should also describe carefully in docs about that. | 07:12 |
| chandanc | annp: coexistance is enabled only for OVS + OVS | 07:13 |
| yushiro | chandanc, +1 | 07:13 |
| chandanc | fwg(OVS) + sg(iptables_hybrid) is still considered as standalone | 07:13 |
| yushiro | chandanc, Sorry, what's mean 'standalone' ? | 07:15 |
| annp | from user perspective, Do you think user want to care about a VM, which is run in FWG(OVS) + SG(iptables_hybrid)? | 07:16 |
| chandanc | standalone means FWaaS OVS driver will not redirect packets to SG OVS tables | 07:16 |
| annp | chandanc, yes | 07:17 |
| yushiro | chandanc, aha, I see. | 07:17 |
| chandanc | annp: that is the default as of now | 07:17 |
| yushiro | However, can we select 'standalone' or 'coexisting' mode for fwaas v2? | 07:17 |
| annp | chandanc, So I've asked you to confirm in this case fwg will be work as expected or not | 07:18 |
| chandanc | yushiro: yes | 07:18 |
| yushiro | chandanc, OK, sorry I forgot whether it is possible to choose. | 07:18 |
| chandanc | it is auto detected as of now | 07:18 |
| yushiro | Aha. | 07:19 |
| chandanc | the patch we are discussing is about figuring out how to detect this situation | 07:19 |
| annp | chandanc, yushiro, As I said above, I'm afraid that will be break behavior of FWG | 07:19 |
| yushiro | chandanc, Ah, that's why you were considering agen-side parameters. | 07:19 |
| chandanc | yushiro: yes | 07:20 |
| chandanc | annp: let me confirm | 07:20 |
| annp | chandanc, thanks in advance. | 07:20 |
| yushiro | PatternA: VM ---> sg(iptables on linuxbridge) ---> fwg(OVS with standalone mode) ----> | 07:21 |
| yushiro | PatternB: VM ---> fwg(OVS with co-existing) ---> sg(OVS) ---> | 07:22 |
| chandanc | yushiro: PatternA is not possible as l2 agent can be either LB or OVS | 07:22 |
| yushiro | In my understanding, flows are handled in above ordering. | 07:23 |
| yushiro | chandanc, ah, PatternA is that we're discussing to support 'standalone' or not support, right? | 07:24 |
| annp | PatternA: VM -->sg(iptales hybrid)--> fwg(OVS with standalone mode)? | 07:25 |
| chandanc | annp: correct | 07:25 |
| chandanc | need to go for lunch | 07:25 |
| yushiro | annp, Yes, I wrote in backend technology.. (iptables) Configuration is 'iptables_hybrid' | 07:25 |
| chandanc | will catch up on your logs | 07:26 |
| yushiro | OK, | 07:26 |
| chandanc | please carry on with the discussion | 07:26 |
| annp | chandanc, enjoy! | 07:26 |
| annp | Please go ahead yushiro | 07:26 |
| yushiro | annp, I know your considering PatternA and PatternB is totally different for flow validation order. | 07:26 |
| yushiro | s/your/you're | 07:27 |
| annp | then? | 07:27 |
| yushiro | PatternA: ingress: 1.fwg(ovs with standalone), 2.sg(iptables_hybrid) , 3. VM egress: 1.VM, 2:sg(iptables_hybrid), 3:fwg(ovs with standalone) | 07:28 |
| annp | yep | 07:29 |
| yushiro | PatternB: ingress: 1.fwg(ovs with coexisting), 2.sg(ovs) , 3. VM egress: 1.VM, 2:fwg(ovs with coexisting), 3:sg(ovs) | 07:29 |
| yushiro | This is my understanding for flow validation order. | 07:29 |
| yushiro | I think a place is different to be dropped both A and B. | 07:31 |
| yushiro | s/both/between | 07:31 |
| annp | yushiro, I agree with your flows | 07:32 |
| annp | If Pattern A will work as expected, then we can go with chandanc's patch | 07:34 |
| *** bbzhao has quit IRC | 07:35 | |
| annp | If Pattern A won't work as expected,then I think we should prevent hybrid port in API level. That's my opinion. | 07:35 |
| *** bbzhao has joined #openstack-fwaas | 07:35 | |
| annp | Do you think so? | 07:36 |
| *** SridarK has quit IRC | 07:36 | |
| annp | sorry, s/won't/doesn't | 07:36 |
| annp | If we prevent hybrid port at API side, then there is no worry at firewall l2 agent side, right? | 07:37 |
| yushiro | annp, Sure. | 07:48 |
| yushiro | Yes, if "A" works correctly, I think it's OK to go with chandanc's one. | 07:50 |
| yushiro | If "A" doesn't work corretly, it's OK for your approach(validating in API layer) | 07:51 |
| annp | yushiro, yes, I think so. | 07:52 |
| yushiro | Anyway, I think it's better to notify ERROR message for your patch. I'll comment it either. | 07:52 |
| annp | So we should waiting confirm from chandanc, then we can discuss something :) | 07:53 |
| yushiro | Yes. | 07:53 |
| yushiro | BTW, did you see my e-mail for default fwg? | 07:53 |
| annp | yushiro, I think your solution reasonable. But lets wait for others | 07:54 |
| yushiro | annp, Yes, but I'd like to know current behavior. | 07:55 |
| yushiro | Whether non-admin user can apply default fwg to a port. | 07:55 |
| annp | what does your mean 'apply' is 'action=update' or ..? | 07:59 |
| yushiro | Yes, update | 07:59 |
| annp | non-admin user can't update for default fwg. | 07:59 |
| yushiro | Yes, so auto-association works correctly. But, if a user wants to change from default fwg to user-created fwg, | 08:00 |
| yushiro | it will be failed. | 08:00 |
| annp | yes, I think so. | 08:00 |
| yushiro | OK. | 08:00 |
| yushiro | we're on same page now. | 08:00 |
| annp | So it should be a bug. | 08:00 |
| yushiro | yes. | 08:01 |
| yushiro | In my memory, when auto-association, we evelated a context into admin priviledge | 08:01 |
| annp | I think we have enough time for bug fix, right? | 08:01 |
| yushiro | Of course! | 08:01 |
| annp | I have to go to another meeting now. See you later. | 08:02 |
| yushiro | OK. | 08:05 |
| *** AlexeyAbashkin has joined #openstack-fwaas | 08:05 | |
| *** yushiro has quit IRC | 08:05 | |
| *** annp has quit IRC | 08:38 | |
| *** annp has joined #openstack-fwaas | 08:38 | |
| *** jafeha__ is now known as jafeha | 08:44 | |
| *** bbzhao has quit IRC | 09:24 | |
| *** bbzhao has joined #openstack-fwaas | 09:24 | |
| openstackgerrit | Édouard Thuleau proposed openstack/neutron-fwaas master: Implements a plugable backend driver https://review.openstack.org/480265 | 10:07 |
| *** yushiro has joined #openstack-fwaas | 10:35 | |
| *** annp has quit IRC | 11:03 | |
| *** AlexeyAbashkin has quit IRC | 11:06 | |
| *** yushiro has quit IRC | 11:07 | |
| *** chandanc has quit IRC | 11:09 | |
| *** chandanc has joined #openstack-fwaas | 11:14 | |
| *** bbzhao has quit IRC | 11:16 | |
| *** bbzhao has joined #openstack-fwaas | 11:16 | |
| *** chandanc has quit IRC | 11:19 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 11:23 | |
| *** yushiro has joined #openstack-fwaas | 14:07 | |
| yushiro | ping doude | 14:08 |
| doude | hi yushiro | 14:08 |
| doude | how are you doing? | 14:08 |
| yushiro | doude, hi. Fine thanks :) Sorry for last meeting. | 14:09 |
| doude | no problem | 14:09 |
| doude | hope you are doing well now | 14:09 |
| yushiro | doude, Yup:) And, thanks for your e-mail regarding default fwg. | 14:09 |
| yushiro | Good catch. This was a bug and just fixed now :) | 14:10 |
| doude | yes do you confirm what I saw? | 14:10 |
| yushiro | Yes. | 14:10 |
| doude | cool do you have a review I can test/review? | 14:10 |
| yushiro | yes, please. Just a moment, please. I'm running py35 now. | 14:10 |
| doude | ok great | 14:11 |
| yushiro | you can test following procedure: https://etherpad.openstack.org/p/fwaas-sandbox | 14:12 |
| yushiro | Just I'm writing :) | 14:12 |
| doude | yes I see that yushiro | 14:14 |
| doude | fyi, you can specify specific configurations flag in the devstack local.conf file | 14:15 |
| doude | as you can see here http://paste.openstack.org/show/650292/ on lines 29 to 31, yushiro | 14:16 |
| yushiro | doude, awesome :) | 14:17 |
| yushiro | firewall_driver = ovs | 14:17 |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Enable to associate ports with default fwg for non-admin users https://review.openstack.org/536845 | 14:26 |
| yushiro | After applying this patch, non-admin user also can associate ports with default FWG. | 14:27 |
| yushiro | Ah, but don't care about 'ingress_firewall_policy_id' and 'egress_firewall_policy_id' !! will fix.. | 14:34 |
| yushiro | hmm,,, but waiting other reviews.. | 14:35 |
| *** cleong has joined #openstack-fwaas | 14:42 | |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Enable to associate ports with default fwg for non-admin users https://review.openstack.org/536845 | 14:44 |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Enable to associate ports with default fwg for non-admin users https://review.openstack.org/536845 | 14:53 |
| yushiro | sorry, please review from PS3. | 14:53 |
| *** yushiro has quit IRC | 15:00 | |
| xgerman_ | o/ | 15:36 |
| *** SridarK has joined #openstack-fwaas | 15:41 | |
| SridarK | doude: hi | 15:41 |
| doude | hi SridarK | 15:42 |
| SridarK | doude any thoughts on the email i sent u - to see if we can get this done in 2 phases | 15:42 |
| SridarK | i am not sure that is possible | 15:42 |
| SridarK | but if we can minimize impact on the reference implementation - will make life a bit easier | 15:43 |
| SridarK | in looking thru the changes - maybe it is a bit tricky but i wanted to explore every option | 15:43 |
| xgerman_ | yeah, with the clock ticking smaller bites are better… | 15:44 |
| * xgerman_ catching up what happened last night | 15:44 | |
| doude | I thnik about that and I think we (at Contrail) can develop our own FWaaS service plugin until we could propose a driver based on the same service plugin as the reference implementation | 15:45 |
| xgerman_ | we can definitely try to get your code into R-1 | 15:45 |
| doude | but I think it's better for FWaaS to propose an interface to plug exoctic drivers like Contrail | 15:46 |
| doude | imo | 15:46 |
| doude | yes xgerman_ we should not abandon my patch | 15:46 |
| doude | It re-organize FWaaS code and split clearly DB from plugin code | 15:46 |
| doude | and that will permit to factorize | 15:46 |
| xgerman_ | +1 | 15:46 |
| SridarK | yes exactly | 15:47 |
| doude | I'll explain that to my management | 15:47 |
| SridarK | this is long standing and we need to get that done | 15:47 |
| doude | s/explain/propose | 15:47 |
| xgerman_ | yes, so usually Neutron merges Wedensday night so we have about two more days… | 15:47 |
| SridarK | doude so do u think we can get a patch in with just the interface defined that u can use for Contrail but the reference implementation stays as is | 15:49 |
| SridarK | or u are proposing an out of tree service plugin for now | 15:49 |
| SridarK | and then we refactor in R1 | 15:49 |
| doude | an out of tree for the moment | 15:49 |
| SridarK | doude ok | 15:50 |
| SridarK | and we will keep this patchset | 15:50 |
| SridarK | but lets propose a bp and get that approved for R-1 | 15:50 |
| SridarK | so we are in line with the process requirements | 15:50 |
| doude | we don't need it in the FWaaS tree as it's a temporary solution that will be replace when my patch will merge in R | 15:50 |
| SridarK | doude: perfect | 15:50 |
| doude | yes we are | 15:51 |
| SridarK | there should be a very old bp for service drivers but i think u should propose a new bp | 15:52 |
| SridarK | we have 2 patchsets in flight at least - that will cause more churn | 15:53 |
| SridarK | ok so summary: 1) doude will use an out of tree implementation as a temporary solution for customers | 15:53 |
| SridarK | 2) We will retain the current PS | 15:54 |
| SridarK | 3) doude will propose a bp for service driver refactor | 15:54 |
| SridarK | 4) We will target merge in R-1 as the highest priority | 15:54 |
| SridarK | xgerman_: does that seem rational | 15:55 |
| SridarK | doude: xgerman_ are we on the same page ? | 15:55 |
| doude | sounds good | 15:55 |
| xgerman_ | yep | 15:56 |
| SridarK | doude: ok - we can see if it makes sense to break up the PS - if reqd - but we can discuss later and if we are early in the cycle - less risk | 15:57 |
| doude | sure | 15:57 |
| SridarK | doude: thx for ur understanding | 15:57 |
| doude | and I think fter my patch we can also continue to improve/refactor code | 15:57 |
| SridarK | doude: +1 | 15:57 |
| doude | I think principlly about sanity checks we is common for all drivers | 15:58 |
| SridarK | agreed | 15:58 |
| doude | I think principally about sanity checks which are common for all drivers | 15:58 |
| *** openstackgerrit has quit IRC | 16:03 | |
| *** bbzhao has quit IRC | 16:06 | |
| *** bbzhao has joined #openstack-fwaas | 16:07 | |
| *** SridarK has quit IRC | 16:07 | |
| *** AlexeyAbashkin has quit IRC | 17:02 | |
| *** bbzhao has quit IRC | 17:10 | |
| *** bbzhao has joined #openstack-fwaas | 17:11 | |
| *** bbzhao has quit IRC | 17:16 | |
| *** 7JTADEBX8 has joined #openstack-fwaas | 17:17 | |
| *** bbzhao has joined #openstack-fwaas | 17:17 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 18:31 | |
| *** AlexeyAbashkin has quit IRC | 18:35 | |
| *** cleong has quit IRC | 21:35 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!