14:00:05 #startmeeting fwaas 14:00:08 Meeting started Tue Jan 17 14:00:05 2017 UTC and is due to finish in 60 minutes. The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:10 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:12 The meeting name has been set to 'fwaas' 14:00:30 Hi! 14:00:31 #chair xgerman yushiro SridarK 14:00:40 Warning: Nick not in channel: SridarK 14:00:41 Good morning FWaaS friends 14:00:41 Current chairs: SridarK njohnston xgerman yushiro 14:00:45 o/ 14:00:52 Let's wait a moment for everyone to arrive 14:00:54 Hi all O/ 14:00:58 hi all 14:01:02 hi, 14:01:05 Hello all 14:02:08 ok, let's get started 14:02:18 #topic Stadium Compliance 14:02:28 We had a huge set of merges last week 14:02:35 Yes. 14:02:38 congratulations all - just about everything is now done! 14:02:51 + 1 14:03:04 Thank you 14:03:04 api definitions are now merged into neutron-lib, as is the api-ref and the OSC 14:03:36 neutron-lib was just released, so this morning I will spin a patch to migrate to using the neutron-lib api definition 14:04:07 The only thing left to do is something that I can now start looking at, which is the fullstack work - as soon as the python-neutronclient release happens 14:04:24 awesome 14:04:27 anything else on the Stadium? 14:04:49 Hi All Sorry to be late connectivity issues 14:04:53 Hi SridarK :) 14:04:56 no problem SridarK! 14:05:30 OK, so that covers the Neutron Stadium. Next up... 14:05:35 #topic FWaaS v2 14:06:02 #link https://review.openstack.org/348177 neutron: IPtables enhancement for co-existence of SG and FWaaS v2 drivers (Chandan/Sarath) 14:06:15 I saw you spun a new patchset for this 14:06:18 can 14:06:21 chandanc 14:06:23 (sorry) 14:06:34 looks like it is still having issues with the tests 14:06:47 ya, i was able to do some tests with the patch 14:06:54 I worked a bit this weekend on sorting out the output of the iptables dump to figure out the differences 14:07:01 it's difficult 14:07:16 njohnston, i am mostly done with the UTs 14:07:26 will be sending a patch with the fixes 14:07:39 mostly by today 14:07:44 Super! 14:07:47 chandanc_: great 14:08:03 ya, actually i was ablr to run some tests with fwaas-v1 14:08:09 that help a lot 14:08:27 excellent 14:08:32 with this hopefully we can quickly move fwd on L2 integration 14:08:35 +1 14:08:37 reminder: next week is feature freeze for Ocata 14:08:42 i might still ask for some help in testing, will send a mail with the details 14:08:51 so if you need any help please reach out sooner rather than later 14:08:55 +1 14:09:06 how quickly time flies esp on a shorter cycle :-( 14:09:08 yes, will do 14:09:21 yes very shorter.. 14:09:38 next is 14:09:39 #link https://review.openstack.org/361071 neutron-fwaas: FWaaS v2 driver for L2 ports (Chandan/Sarath) 14:09:48 I believe I saw a PS from padkrish there 14:10:07 er, no, I am wrong, it was 14:10:07 #link https://review.openstack.org/323971 neutron-fwaas: FWaaS v2 extension for L2 agent (Yushiro/Paddu) 14:10:09 no that was for the L2 agent 14:10:42 i had a look at the L2 patch as well, the patch looks good in terms of UT but will come to know once integration begins 14:11:06 So let's talk about the driver - once the neutron change happens, is this pretty much ready to go? 14:11:45 it seems nearly, but more when i can git it a test run 14:11:50 chandanc_: since we cannot create dependency, perhaps we need to handcraft something for some manually testing 14:12:29 SridarK, please let me know if you have some idea on the test part, it will be of help 14:12:58 chandanc_: yes we can focus on functional correctness as step 1 14:13:11 ya agree 14:13:30 chandanc_: we can discuss some more on this 14:13:40 sure 14:13:43 ok 14:13:54 chandanc_: will ping u later 14:13:58 hi 14:14:05 did I miss anything 14:14:06 sure SridarK 14:14:10 reedip_: hi 14:14:15 hi reedip_ 14:14:17 hi 14:14:21 and switching back to the L2 extension, how does that look yushiro? SridarK, any recent communications from padkrish? 14:14:42 njohnston: yes padkrish made some updates 14:15:23 yushiro: sorry i could not sync with u last week but we can set a time today eve (Pacific) and ur Wed morn 14:15:47 SridarK, njohnston, I'm testing/editting l2 agent patch on my local devstack now. OK! 14:15:50 i will ping padkrish for a time and let u know - we can try to close out any remaining pieces quickly 14:16:03 excellent 14:16:04 SridarK, Sure. 14:16:20 once this is in we can be ready for the L2 driver piece 14:16:52 anything else on FWaaS v2? 14:17:20 #topic neutron-lib 14:17:54 Not much to say here, just that with the release of neutron-lib there'll be a patch or two that start making use of things we have added to it. 14:18:37 yeah! 14:18:37 Not really pushing anything else forward in neutron-lib at the moment; once Ocata is locked I will update the punchlist. 14:19:08 moving on 14:19:09 #topic performance improvement for v1 14:19:23 hi 14:19:35 tuhv: you have the floor 14:19:46 i updated my patch to be independent on Neutron 14:19:55 it is ready for review 14:20:08 excellent, I will take a look at it, probably tomorrow 14:20:15 tuhv, Sure. will do tomorrow. 14:20:17 thanks 14:20:32 thanks for the link to the testing scripts that you put in the meeting notes, that is very helpful 14:20:41 you can take my guide on github 14:20:52 njohnston, thanks 14:21:01 njohnston, It is really appreciated. 14:21:03 #link https://github.com/uttu90/FWaaSNetlink - Reference scripts for testing netlink performance 14:21:25 OK, next up 14:21:29 #topic bugs 14:21:53 yushiro has been finding a number of bugs - an outstanding effort, to be sure 14:22:10 njohnston, You're welcome. Please talk about some bugs. 14:22:14 yushiro: nice 14:22:27 +1 Great 14:22:28 yushiro: You've detailed these in the meeting notes, I think my first question is, have you files bug reports in Launchpad for these? 14:22:31 +1 14:22:38 Yes, I get an email everyday from Launchpad that yushiro logged a bug ;) 14:22:58 :-) 14:23:22 yushiro: If you have created changes to fix these could you link to them as well? 14:23:23 njohnston, 1, 2 not yet. Regarding 1, I need agreement. 14:23:30 To go through the bugs: 14:23:37 1. Default parameter of 'protocol' in firewall-rule is 'ICMP' (It seems 'tcp' is more useful) 14:23:52 I agree that if there is to be a default, tcp should be the default. 14:23:57 +1 14:24:07 +1 14:24:15 njohnston, Thanks. So, we need to file bug-report about '1' 14:24:23 yep 14:24:34 TCP makes more sense 14:24:38 yushiro: do u recall if this behavior is spilling over from v1 ? 14:25:28 SridarK, hmm, sorry I verified only v2 14:25:40 SridarK, I'll check the behavior on v1. 14:25:40 yushiro: np - will take a look 14:25:53 Ok, so we might check v1 if we have time, but more important to fix it in v2 14:26:08 Bug 2. 'public' visibility does not run correctly: non-admin user cannot see 'public' resource. 14:26:32 I have a v1 setup.. will check and confirm 14:26:33 this seems like a significant problem 14:26:38 njohnston, Thanks. I think bug2 is definitely bug.(not filed bug-report) 14:26:57 hmm indeed this is a serious issue 14:27:05 SarathMekala: ok thx 14:27:06 +1 14:27:25 not sure if that would be fixed by policy.json? 14:27:43 xgerman, regarding bug2, not fixed. 14:27:49 ok 14:27:56 I doubt that it is a policy.json issue 14:28:09 njohnston, I think so too. 14:28:48 so definitely file a bug for this and we can work on it urgently 14:29:20 yushiro: in what u have seen - do u think we are missing some validation logic for this ? 14:29:25 we should check with policy 14:29:32 it seems we have a rule for that 14:29:44 yes i am wondering too 14:29:46 SridarK, sorry. about bug2? 14:29:58 "get_firewall": "rule:admin_or_owner or rule:shared_firewalls", 14:30:14 yushiro: yes Bug2 14:30:17 yes 14:30:36 yes anyone should be able to get a shared firewall 14:30:49 so it might be as easy as fixing that, that is good 14:30:49 SridarK, sorry, I'm not sure. will check fwaas source code. 14:31:04 yushiro: np - i will check too on this 14:31:17 Bug 3. Firewall policy and rule are not enforced policy (Non-admin user can create 'firewall_policy' or 'firewall_rule' with 'public' attribute) 14:31:32 Yushiro notes: 14:31:49 I applied https://review.openstack.org/#/c/404942/ but not changed. Result is as follows: 14:31:49 - firewall_group: http://paste.openstack.org/show/595195/ 14:31:49 - firewall_policy: http://paste.openstack.org/show/595198/ 14:31:51 - firewall_rule: http://paste.openstack.org/show/595196/ 14:32:10 njohnston : so a non-admin user cannot create shared firewall_rule/policy ? 14:32:25 Regarding bug3, I checked applying xgerman's patch and not applying patch but unfortunately, it was same result. 14:32:37 :-( 14:32:48 i am wondering if we have some relation to Bug2 14:32:53 reedip_: correct, the way we have implemented it right now, you need to be admin to create a shared firewall_policy or firewall_rule 14:33:21 yep, I changed a scenario test to update something less cintentious 14:33:30 Why the result is different b/w firewall_group and other resources... 14:33:45 probably a bug in the policy? 14:35:20 and finally 4 is for OSC problems 14:35:20 xgerman, regarding bug3, maybe policy's bug but I'm not sure currently. 14:35:41 yeah, I am a bit confused as well… 14:35:43 Bug 4.1. Cannot get 'ports' attributes from firewall_group (Even if OSC plugin fixed, current firewall_group doesn't have 'ports' attributes in GET response. https://bugs.launchpad.net/neutron/+bug/1640395 relates this situation. 14:35:43 Launchpad bug 1640395 in neutron "Missing 'ports' attribute when GET firewall-groups" [Low,Confirmed] - Assigned to Sridar Kandaswamy (skandasw) 14:36:10 njohnston, so sorry!! Regarding OSC problems, I'll post PS ASAP :) 14:36:31 no problem yushiro, I am just glad you found these! 14:36:34 ok let me refresh my memory on what is going on with 4.1 14:37:48 yushiro: did u already do some work on 4.1 or i can work on it today 14:37:51 and Bug 4.2. Cannot get 'firewall_rules' attributes from firewall_policy 14:38:14 yushiro mentioned in the meeting notes that he already has a PS to address 4.1 and 4.2. 14:38:15 Sorry I got disconnected in between 14:38:24 yushiro: Could you send a link? 14:38:25 SridarK, Yes 4.1 and 4.2, I've already created PS(UT not yet) 14:38:36 yushiro: ok 14:38:47 njohnston, sorry, In my local environment not posted yet. 14:38:57 yushiro: ah ok 14:39:10 OK, as soon as you upload it could you ping the url in the #openstack-fwaas channel? 14:39:43 is there an FWaaS Channel :O 14:39:44 4.1 and 4.2's cause were typo and missing argument into some methods. 14:40:00 njohnston, Sure. 14:40:06 yushiro: ok perfect, we can get these in quickly 14:40:20 perhaps when u start ur day 14:40:34 We should end up with unit/fullstack/tempest tests for each of these (as appropriate) but I do not think we need to have those right now, we could add them after Ocata is frozen. I would rather go without a tempest test but get fwaas v2 delivered than the other way around. 14:40:49 +1 14:40:49 njohnston: huge +1 14:41:02 +++1 14:41:07 and we do have some more time with bugs 14:41:26 SridarK, yes 14:41:49 https://bugs.launchpad.net/neutron/+bug/1657084 14:41:49 Launchpad bug 1657084 in neutron "[RFE]Add time period attribute to firewall_rule" [Undecided,New] - Assigned to zhaobo (zhaobo6) 14:41:57 This was logged recently 14:42:12 I had a similar bug for v1 but it was declined at that time 14:42:34 reedip_: Interesting, I will take a look at that 14:42:51 reedip_, thanks for your information. 14:43:04 I think it becomes a little tricky with iptables 14:43:15 we need to use an iptable extension for time periods 14:43:16 this will need some work possible to effect this - more a featurette 14:43:34 i would say lets look at it for Pike 14:43:34 njohnston, yushiro : I had one feature for FwaaS v1 ; https://review.openstack.org/#/c/236840/ 14:43:49 That was shot down earlier, wanted to know if it can be put forward 14:44:13 SarathMekala: I don't think we would encode the time period data in iptables; I think neutron-fwaas, as the orchestration engine for iptables, would nee dto track the time and add/remove at the specified time intervals. 14:44:46 reedip_: perhaps we can look at it with a v2 lens ? 14:44:49 reedip_, OK. I'll take a look. thanks. 14:45:09 SridarK : Exactly thats what I wanted. 14:45:09 njohnston, yes can be done this way as well.. iptables also have a provision for the same 14:45:16 we are on the path to deprecate v1 14:45:31 reedip_: ok perfect, so for Pike ? 14:45:44 surely we can discuss it 14:45:45 SridarK : There is no LIKE option in xchat :P 14:45:56 Any other bugs to bring up? 14:46:08 reedip_: :-) 14:46:09 yes, for Pike. I will log it as a bug and it can be discussed 14:46:15 k 14:46:27 yushiro,SridarK : Checked V1.. TCP is the default option for protocol 14:46:46 ah perfect thx SarathMekala 14:46:47 SarathMekala: Thanks! will file a bug report. 14:47:10 yushiro, one question for you 14:47:20 in V2 enabled has been renamed to public right? 14:47:40 sorry *shared 14:47:53 SarathMekala, Yes, changed from 'shared' to 'public'. 14:48:02 I think there is a bug in the CLI 14:48:12 it still shows shared 14:48:51 SarathMekala, Is CLI OSC plugin? (like 'openstack firewall group show fwg1) 14:48:52 [--tenant-id TENANT_ID] [--shared] [--name NAME] 14:48:55 snipeet of the line 14:49:14 let’s file a bug. Should be easy fix 14:49:22 no.. am trying out neutron firewall-create-rule 14:50:07 SarathMekala, aha, I understood. fwaas v2 can only retrieve using 'openstack' command. 14:50:30 SarathMekala, 'neutron firewall-rule xxx' retrieve only fwaas-v1. 14:50:57 oh.. thanks.. I may need to restack with latest code 14:51:29 #topic Open Discussion 14:51:35 #link https://etherpad.openstack.org/p/neutron-ptg-pike If you are going to the Atlanta PTG, note your attendance here! 14:51:36 SridarK, njohnston, xgerman I'd like to talk a little about bugs at openstack-fwaas. 14:51:47 yushiro: absolutely 14:51:58 yushiro: yes 14:52:11 I gotta run but will be back in an hour 14:52:16 njohnston, SridarK xgerman : Thanks 14:52:38 I like to have this policy thing resolved… armax is really throwing us a wrench 14:53:24 anyhow, gotta run… o/ 14:53:30 xgerman: bye 14:53:34 xgerman, aha, OK. bye! 14:54:06 Does anyone have anything else? 14:54:17 nothing else from me 14:54:53 same time next week ?? ( I forget when is FWaaS meeting :( ) 14:54:54 nothing. 14:54:56 I got pulled into some work and could not make progress on horizon 14:55:12 SarathMekala: no worries - it will be Pike anyways 14:55:12 reedip_: Yes, same time next week! 14:55:17 SridarK, can we catchup on testing tomorrow ? i will need to be away today 14:55:22 oh ok 14:55:25 chandanc_: yes surely 14:55:26 reedip_, 14:00 UTC http://eavesdrop.openstack.org/#API_Working_Group 14:55:35 SridarK, thanks 14:55:40 chandanc_: ur morning and pacific eve/night 14:55:49 reedip_, at #openstack-meeting-4 14:55:54 sure 14:55:58 will ping 14:56:07 chandanc_: or even in a couple of hours 14:56:07 I definitely hope I can go PTG :) 14:56:21 yushiro: u are still waiting on the travel ? 14:56:30 will try, but cant promise :( 14:56:39 I also am on the hooks for the PTG 14:56:43 SridarK, yes 14:56:47 chandanc_: no prob ur morn for sure then 14:56:53 sure 14:57:11 yes travel budgets are getting tighter 14:57:40 I will definitely be at Atlanta and whatever the enxt PTG is, but I probably will not be in Boston and Sydney, it turns out 14:58:07 njohnston: oh 14:58:13 oh... njohnston 14:58:44 I hope you do visit Sydney ... :) 14:58:47 for us too each one is "kind of depends" ... 14:58:49 ravelling 4x a year is more than I can make happen it seems 14:59:03 I hope I do too :P 14:59:11 :) 14:59:12 reedip_: I agree! 14:59:18 it will be int to see how much the PTG model catches on 14:59:26 1 min warning 14:59:42 all right folks thx for attending and have a great week 14:59:58 lets do the big push for L2 15:00:03 +100 15:00:05 OK, thanks everyone! 15:00:06 Yes definitely 15:00:08 #endmeeting