14:00:55 <yushiro> #startmeeting fwaas
14:00:56 <openstack> Meeting started Tue Feb 28 14:00:55 2017 UTC and is due to finish in 60 minutes.  The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:56 <hoangcx> hi
14:00:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:00 <openstack> The meeting name has been set to 'fwaas'
14:01:01 <SridarK_> lets get started
14:01:11 <tuhv> hi
14:01:23 <yushiro> #chair SridarK_ yushiro xgerman
14:01:24 <openstack> Current chairs: SridarK_ xgerman yushiro
14:01:31 <yushiro> #topic Pike
14:01:47 <yushiro> #link https://etherpad.openstack.org/p/fwaas-pike Pike cycle priorities list
14:02:06 <yushiro> We discussed Pike priority at PTG.
14:02:15 <yushiro> Please refer following link.
14:03:37 <yushiro> Please check 'High Priority'
14:03:50 <SridarK_> +1
14:04:16 <SridarK_> PTG was a good discussion amongst FWaaS folks
14:04:41 <xgerman> yep
14:05:00 <yushiro> +2 , sure. Great meeting :)
14:05:11 <yushiro> HIGH:  Remaining works for fwaasv2,  Create fwaas driver for OVS firewall, Tempest test, Horizon
14:05:38 <SridarK_> One of the important outcomes was the direction from the PTL to switch to OVS instead of iptables for Layer2
14:05:49 <yushiro> Note:  OVS(hybrid) will be deprecated in Pike,
14:05:55 <yushiro> SridarK_, Yes.
14:06:36 <SridarK_> yushiro: perhaps we can discuss the impact of switch to OVS ?
14:07:02 <xgerman> that would be good
14:07:05 <yushiro> SridarK_, yes.
14:07:12 <SridarK_> xgerman: had some concerns
14:07:33 <xgerman> I know a ton of people are still on linux bridge so that will hurt our adoption
14:07:44 <xgerman> I checked with RAX and we should be ok-ish
14:07:59 <SridarK_> ok that is good
14:08:00 <chandanc__> yes, What does it mean for people deploying Linux Bridge ?
14:08:37 <xgerman> chnadanc_ this is exactly my concern
14:08:47 <SridarK_> chandanc__: i am not sure if there is an option where SG will happen on Linux Br and L2 FWaaS will happen on OVS
14:09:26 <chandanc__> ok, ya that might be an option
14:09:33 <SridarK_> we may not be able to do that assuming this does not make it more complicated
14:10:08 <xgerman> we should also add that Neutron will evaluate in P-3(?) and might change course
14:10:47 <xgerman> but they won’t merge the modified iptables code until then
14:10:48 <SridarK_> One of the things Kevin mentioned was dealing with the complexity of the iptables changeset that chandanc__ has been dealing with
14:11:00 <xgerman> +1
14:11:03 <yushiro> yes.
14:11:05 <SridarK_> and that this might be cleaner
14:11:08 <chandanc__> yes +1
14:11:20 <chandanc__> i hope the ovs one will be cleaner
14:11:31 <SridarK_> that was his feeling
14:11:41 <yushiro> chandanc__,  yeah.
14:12:21 <chandanc__> Did anyone get a change to see the code for ovs based firewall
14:12:47 <xgerman> not yet
14:12:48 <SridarK_> chandanc__: no i have not looked at it yet
14:12:57 <yushiro> chandanc__, I'll take a look and need some help for neutron core.
14:13:18 <chandanc__> yushiro, do you have the link to the code ?
14:13:39 <yushiro> chandanc__, Just a moment.
14:14:05 <SridarK_> chandanc__: perhaps u can start taking a peek and if this is simple enough to insert L2 FWaaS - we take the plunge
14:14:26 <chandanc__> SridarK_, yes that was my idea
14:14:41 <SridarK_> and we can come back to support an iptables implementation as Phase2 if there is user feedback that wants that
14:14:50 <reedip> hi sorry
14:15:03 <reedip> for being late
14:15:11 <chandanc__> sure SridarK_
14:15:12 <SridarK_> if this is indeed simpler then we can have an implementation out the door
14:15:21 <xgerman> no worries - we were rehashing the PTG
14:15:40 <xgerman> SridarK_ +1
14:16:00 <chandanc__> sure
14:16:01 <xgerman> Neutron also promised a migration linux bridge -> OVS
14:16:15 <SridarK_> Kevin was pretty sure on making the jump to ovs in Pike - as i had the same concern that we start on a path and then that does not go anywhere
14:16:43 <chandanc__> ok that will be good
14:17:36 <SridarK_> ok esp since from ur input - the iptables change in terms of fixing the existing UT has become quite complex
14:18:12 <chandanc__> yes SridarK_
14:18:29 <SridarK_> ok cool, yushiro pls go ahead
14:19:00 <yushiro> 
14:19:01 <yushiro> Sure
14:19:11 <yushiro> #topic FWaaS v2
14:19:23 <yushiro> #link https://review.openstack.org/348177  neutron: IPtables enhancement for co-existence of SG and FWaaS v2 drivers (Chandan/Sarath/Nate)
14:19:45 <yushiro> chandanc__, Sarath, njohnston :  Is there any updates?
14:20:15 <yushiro> #chair njohnston
14:20:16 <openstack> Current chairs: SridarK_ njohnston xgerman yushiro
14:20:23 <chandanc__> yushiro, no update on this one, i was doing some tests on the integration of l2 firewall driver
14:20:53 <xgerman> also given our new priorities we might have to table that for a while
14:21:04 <SridarK_> xgerman: +1
14:21:11 <yushiro> chandanc__, OK.  Is there some blocking point?
14:21:30 <yushiro> xgerman, yes
14:21:48 <chandanc__> No, i can proceed one the integration tests are completed
14:21:58 <yushiro> chandanc__, OK cool.
14:22:13 <xgerman> sounds good
14:22:47 <yushiro> xgerman, I'll note on etherpad(https://etherpad.openstack.org/p/fwaas-meeting) about that.
14:22:54 <xgerman> k
14:23:03 <chandanc__> I have done some integration tests, the creation of rules with SG and FWG works, but needed some change in the fwaas v2 l2 firewall driver
14:23:04 <yushiro> #link https://review.openstack.org/361071 neutron-fwaas: FWaaS v2 driver for L2 ports (Chandan/Sarath)
14:23:48 <yushiro> chandanc__, yes.  we should specify the endpoint that is defined at setup.cfg.
14:23:54 <chandanc__> continuing from the last update
14:24:50 <chandanc__> the delete port on a FWG does not clear some accept rules , here I am seeing the same dependency on port id as we saw during the port delete
14:25:45 <chandanc__> while deleting the accept rule for a port I need to access the port id, which is not available when a port delete os done on a FWG (update call)
14:26:14 <yushiro> chandanc__, In this case, what about 'drop rule'?  Were they deleted correctly?
14:26:53 <chandanc__> ya eve for the drop rules
14:26:56 <chandanc__> even*
14:27:13 <SridarK_> chandanc__: On the messaging from the plugin - we do send the new ports and the ports to be deleted on an update
14:27:22 <chandanc__> basically the port delete from a FWG is not cleaning up all the required entries
14:27:40 <reedip> chandanc__ : do you mean we have a race condition ?
14:27:54 <chandanc__> no, not a race.
14:28:09 <SridarK_> chandanc__: oh is this potentially a same issue with L3 ports as well ?
14:28:20 <chandanc__> SridarK_, may be i missed on that data
14:29:26 <SridarK_> ok on deleting a port from a FWG - this initiated by the user and messaged from the plugin
14:29:27 <chandanc__> will have to check the code, but the current code did not  cleanup the firewall rules
14:29:35 <SridarK_> so u should get all the ports-ids
14:30:23 <chandanc__> ok, will check on the port ids received
14:30:24 <SridarK_> chandanc__: ok we can sync more on this later
14:30:30 <chandanc__> sure
14:30:33 <yushiro> OK,  Is there any comments?
14:30:49 <yushiro> OK, next.
14:30:52 <yushiro> #link https://review.openstack.org/323971  neutron-fwaas: FWaaS v2 extension for L2 agent (Yushiro/Paddu)
14:31:32 <SridarK_> I think this is mostly done - spoke with padkrish and chandanc__ y'day
14:31:44 <yushiro> SridarK_, +1
14:31:49 <xgerman> nice
14:31:54 <SridarK_> yushiro: u were also going relook the UT as per padkrish
14:32:13 <SridarK_> the one issue was handling the port delete
14:32:39 <yushiro> SridarK_, yes. I'm trying to add more UTs.
14:32:59 <SridarK_> and how the driver can deal with that - as the plugin record may have been cleaned up due to cascade delete on the plugin side
14:33:47 <SridarK_> chandanc__: was going to check if the driver can go thru and remove the jump rule to FWG chain for the port that got deleted
14:34:11 <SridarK_> my thought was to put  a TODO on that
14:34:40 <chandanc___> sorry lost connection
14:35:11 <SridarK_> and one thing to discuss is that once this is ready - what do we do with this patch until the neutron driver issue is resolved
14:35:45 <SridarK_> we could put a +1 and merge once the neutron driver issue is finished
14:36:15 <xgerman> if we make a depnds-on jenkins will automayically check for us
14:36:32 <SridarK_> xgerman: yes agreed
14:37:03 <yushiro> yup
14:37:19 <SridarK_> basically all the L2 related patches will wait on the driver change on neutron
14:37:49 <yushiro> SridarK_, You mean, hybrid to OVS native?
14:37:55 <SridarK_> we can test them with some mocking
14:38:02 <SridarK_> yushiro: yes
14:38:11 <yushiro> SridarK_, aha, OK.
14:38:20 <yushiro> Adding more UTs.
14:38:40 <yushiro> OK, next patch.
14:38:42 <yushiro> #link https://review.openstack.org/#/c/425769/  neutron-fwaas: Generate default firewall group via project (Yushiro)
14:39:32 <yushiro> Cedric updated this patch for thread-safe perspective.
14:40:25 <yushiro> I'll review it and add more UTs.
14:40:35 <yushiro> Sorry Cedric for waiting...
14:41:01 <SridarK_> And yushiro to update all - we decided that we will support default FWG only for L2
14:41:21 <xgerman> +1
14:41:21 <yushiro> SridarK_, yes.
14:42:35 <yushiro> #action yushiro will reply to cedric ASAP on own patch
14:43:20 <yushiro> Is there any comments for this patch?
14:43:39 <SridarK_> yushiro: i will start reviewing also
14:43:53 <yushiro> SridarK_, Thanks.
14:43:57 <yushiro> OK next topic
14:44:03 <yushiro> #topic Stadium Compliance
14:44:18 <yushiro> #link https://review.openstack.org/394619 Add fullstack testing for neutron-fwaas
14:44:58 <yushiro> Can we start testing with this patch?
14:45:33 <reedip> can I take this one if no one is working on it ?
14:45:55 <xgerman> Sure
14:46:00 <SridarK_> reedip: yes can u pls coordinate with njohnston
14:46:16 <reedip> ok, I will
14:46:44 <yushiro> reedip, thanks.  I think it's good news for njohnston
14:46:57 <yushiro> #link https://review.openstack.org/421534 Add action map for neutron-fwaas API definition
14:47:17 <SridarK_> Also in general - we should discuss with njohnston to see how we can transition all the things he was driving on Stadium Compliance
14:47:35 <yushiro> This has already been merged.
14:47:45 <SridarK_> so he can be less burdened except for the things he would like to work on
14:48:01 <reedip> There are some things mentioned by boden in #openstack-meeting for neutron-lib. I am trying to track as much as possible
14:48:18 <yushiro> #link https://review.openstack.org/421472 Use neutron-lib definition of neutron-fwaas API
14:48:28 <SridarK_> #action SridarK_ to sync with njohnston on transtion stuff
14:48:39 <SridarK_> reedip: great
14:48:47 <yushiro> reedip, thanks!!
14:48:55 <reedip> yushiro : neutron-lib is being released with v2.1.0
14:49:04 <reedip> so we can just rebase this tag once that releases
14:49:27 <yushiro> reedip, aha, OK.
14:49:41 <yushiro> Currently, this patch got -1 from yamamoto.
14:50:14 <reedip> yes I will check that too...
14:50:38 <yushiro> reedip, oh, thank you.
14:50:51 <yushiro> #topic performance improvement for v2
14:51:05 <tuhv> Hi
14:51:08 <reedip> yushiro : I will check with yamamoto and get this fixed, meanwhile the global-requirements is updated to neutron-lib 1.2.0
14:51:22 <tuhv> currently, I am working on improving Netlink solution
14:51:44 <yushiro> reedip, great.  I also checked his comment and there are nit.
14:51:46 <tuhv> 1) Make contrack driver be configurable
14:52:03 <yushiro> tuhv, Ok, please go ahead.
14:52:04 <tuhv> https://review.openstack.org/#/c/433598/
14:52:31 <tuhv> 2) Adding netlink_lib with full UTs and functional tests
14:52:42 <yushiro> tuhv, Could you add list of patches into https://etherpad.openstack.org/p/fwaas-meeting  ?
14:52:49 <tuhv> https://review.openstack.org/#/c/437311/4
14:52:59 <tuhv> yushiro, I will
14:53:04 <yushiro> tuhv, thanks
14:53:28 <blallau> Hi, I am working on improving RPC
14:53:33 <blallau> #link https://review.openstack.org/#/c/426287/
14:53:38 <blallau> #link https://review.openstack.org/#/c/424551/
14:53:42 <tuhv> and 3) Adding nelink driver:https://review.openstack.org/#/c/438445/3
14:53:44 <SridarK_> blallau: hi and thanks for joining
14:53:52 <blallau> if someone can take a look, it'll be great :)
14:54:01 <SridarK_> and all the great work
14:54:02 <yushiro> blallau, hi. I see :)
14:54:12 <blallau> it is V1 related but V2 will follow...
14:54:17 <SridarK_> blallau: will do
14:54:21 <tuhv> all these patches are ready
14:54:44 <yushiro> tuhv, OK, will take a look
14:54:49 <tuhv> Netlink lib is now more readable and maintainable than the last one
14:54:55 <SridarK_> yushiro: +1
14:55:07 <hoangcx> SridarK_, xgerman: For v2, I am planning to evaluate current situation of SG based OVS first as we are going to adopt OVS native only for FWaaS.
14:55:12 <tuhv> yushiro: thanks
14:55:27 <SridarK_> hoangcx: yes i think that is good
14:55:29 <hoangcx> SridarK_, xgerman : I will ask one more member to invoke that work
14:55:31 <annp> tuhv: +1 great work.
14:55:40 <hoangcx> from my team
14:55:41 <yushiro> hoangcx, ++1
14:55:56 <SridarK_> hoangcx: but L3 will still be on iptables
14:56:17 <hoangcx> SridarK_, Yes. I know
14:56:20 <reedip> 4 min ...
14:56:24 <tuhv> SridarK_, that's why we are trying to improve Netlink
14:56:26 <tuhv> :)
14:56:30 <SridarK_> annp: yes tuhv +1
14:57:06 <SridarK_> hoangcx: cool
14:57:17 <yushiro> oops, 3 minutes.  Let's accelerate now..
14:57:20 <hoangcx> Hope we can close v1 soon :-)
14:57:28 <yushiro> #topic bugs
14:57:29 <SridarK_> yushiro: yes pls need 2 mins in Open Disc
14:57:40 <yushiro> #topic Open Discussion
14:58:03 <SridarK_> we can do  bugs next week
14:58:09 <reedip> If we remove Linux Bridge and use OVS, what would be the Firewall driver to be used
14:58:24 <yushiro> Let me check my TODO:  Update IRC etherpad for new priorities in Pike
14:58:26 <xgerman> I've
14:58:31 <reedip> this?? : https://docs.openstack.org/developer/neutron/devref/openvswitch_firewall.html
14:58:36 <SridarK_> So perhaps our stretch goal can be to target Pike 1 for the L2 changes
14:58:52 <xgerman> +1
14:59:00 <SridarK_> so before the summit we have L2 working
14:59:17 <yushiro> reedip, In my understanding, Linux bridge will support but hybrid configuration will be unsupported.
14:59:36 <yushiro> OK, folks, can we discuss into #openstack-fwaas ?
14:59:41 <yushiro> Because 1 minutes left.
14:59:42 <reedip> yep
14:59:59 <SridarK_> One other quick note on the meeting - we will round robin the running of the meeting across xgerman, yushiro and myself
15:00:01 <blallau> yep
15:00:07 <xgerman> Gotta run but will hang as long as I can
15:00:13 <yushiro> SridarK_, +100
15:00:19 <SridarK_> ok time
15:00:24 <yushiro> #endmeeting