#openstack-meeting-4 log

14:00:06 <yushiro> #startmeeting fwaas
14:00:07 <openstack> Meeting started Tue Mar 21 14:00:06 2017 UTC and is due to finish in 60 minutes.  The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:11 <openstack> The meeting name has been set to 'fwaas'
14:00:18 <blallau> Hi all
14:00:22 <cuongnv> hi
14:00:22 <yushiro> #chair SridarK yushiro xgerman njohnston
14:00:23 <openstack> Warning: Nick not in channel: SridarK
14:00:24 <xgerman> ji
14:00:25 <openstack> Current chairs: SridarK njohnston xgerman yushiro
14:00:27 <chandanc_> Hello
14:00:31 <SarathMekala> hi all O/
14:00:33 <vks1> hi all
14:00:35 <hoangcx> hi
14:00:41 <yushiro> #chair SridarK_
14:00:44 <openstack> Current chairs: SridarK SridarK_ njohnston xgerman yushiro
14:00:53 <SridarK_> Hi All
14:01:10 <yushiro> hi,  today is njohnston for chair, OK?
14:01:37 <xgerman> Is he in?
14:01:58 <yushiro> yeah... he looks not here..
14:02:06 <yushiro> OK, I'll do it.
14:02:10 <yushiro> let's begin.
14:02:13 <xgerman> sounds good
14:02:17 <SridarK_> yushiro: yes
14:02:17 <yushiro> #topic Pike
14:02:34 <yushiro> oops
14:02:56 <yushiro> let's focus on high priority.
14:03:15 <yushiro> L2 support:  #link https://review.openstack.org/361071
14:04:03 <yushiro> chandanc_, Is there any progress ?
14:04:39 <chandanc_> yushiro, i am now working on the OVS driver instead and the iptables driver is on hold
14:05:06 <xgerman> iptables even got abandoned by Kevin
14:05:14 <xgerman> (our driver)
14:05:15 <chandanc_> I think the OVS driver is what i am focusing to complete first
14:05:23 <yushiro> chandanc_, xgerman  yes.  sorry, this is old link :(
14:05:26 <SridarK_> i think that makes sense
14:05:28 <chandanc_> yes, i saw that today
14:05:33 <xgerman> #link https://review.openstack.org/348177
14:05:45 <chandanc_> no problems, i will give an update on the ovs driver instead
14:06:03 <chandanc_> https://review.openstack.org/#/c/447251/
14:06:22 <chandanc_> the patch is in the very initial stage
14:06:28 <reedip> ~o~
14:06:43 <chandanc_> it is based on the SG driver that was done by jakub
14:06:55 <yushiro> chandanc_, OK, it's a good start.
14:07:04 <annp> chandanc_: thanks for great work. :)
14:07:07 <chandanc_> i have started to adapt it for the FWaaS v2 API calls
14:07:18 <chandanc_> hello annp
14:07:23 <yushiro> chandanc_, And last week, annp sent some help to you.
14:07:45 <chandanc_> i will add you guys to the review once i am able to run some tests
14:07:58 <annp> hi chandanc_
14:08:08 <chandanc_> yes, i have received the mails from annp
14:08:17 <yushiro> annp, Could you share your e-mail for all fwaas folks?
14:08:38 <chandanc_> +1 yushiro
14:09:36 <yushiro> chandanc_, If you have some help, please send e-mail to fwaas members.
14:09:37 <annp> yushiro, surely. I will do that, tomorrow.
14:09:45 <SridarK_> yushiro: or chandanc_: can u pls add the fwaas folks in case annp may not have everyone email
14:09:49 <chandanc_> I have some queries regarding the l2 extension , will send mail on the current issues
14:10:04 <chandanc_> SridarK_, same for vks1
14:10:11 <yushiro> SridarK_, Yes, I'll help him.
14:10:45 <yushiro> vks1, also takes a look for OVS firewall part.  let's sync up :)
14:10:55 <SridarK_> chandanc_: ok will do
14:11:02 <yushiro> next.
14:11:10 <yushiro> #link https://review.openstack.org/323971
14:11:25 <chandanc_> I am afraid thats all the update i have for now on the driver front
14:12:15 <yushiro> chandanc_, driver front?
14:12:28 <chandanc_> BTW, hopeyou went through the summary mail on the OVS vs IPtables driver
14:12:58 <chandanc_> yushiro, i mean thats all i have from my side
14:13:11 <yushiro> chandanc_, aha, OK. I see.
14:13:11 <reedip> chandanc_ , annp, vks1 : JFYI, all email IDs of the team members are , and should be updated in Line#18 onwards in https://etherpad.openstack.org/p/fwaas-meeting
14:13:41 <yushiro> L2 agent side, I need to update some nit.  Loading driver part and so on.
14:13:43 <chandanc_> reedip, thanks
14:13:59 <yushiro> annp, thanks for your review.
14:14:15 <yushiro> next.
14:14:15 <xgerman> thx
14:14:21 <yushiro> #link https://review.openstack.org/#/c/425769/
14:14:42 <yushiro> Default firewall group patch.  It's my part too.
14:14:48 <SridarK_> yushiro: great - i think this is mostly done
14:15:14 <SridarK_> we will need to integrate with the driver once that is ready
14:15:41 <yushiro> SridarK_, definitely.  let's do it.
14:15:54 <reedip> yushiro : query
14:15:56 <yushiro> However, I have one question for default fwg.
14:16:19 <reedip> is the default fwg always going to exist or should it be configurable ?
14:16:24 <reedip> I mean
14:16:53 <reedip> if we have a new fwaas deployment, should it have default fwg ? or can we make it configurable so that Upgraded users dont have an issue
14:17:28 <reedip> ( forget upgraded users ... any user who uses fwaas v2)
14:17:30 <xgerman> reedip won’t be an issue since we only apply to L2 which is new
14:17:41 <SridarK_> reedip: the initial thought was that it is always there for L2
14:18:10 <yushiro> reedip, currently, when upgrading(try to start db migration), it validates that whether default fwg(named 'default') exists or not.
14:18:10 <xgerman> yep, we will introduce L2 with default firewalls so it’s coupled
14:18:29 <reedip> xgerman : okay, but still, shouldnt this be configurable. Shouldnt the user want the default fwg to be enabled on L2 only if they want it to?
14:18:52 <xgerman> that is a different question ;-)
14:19:04 <SridarK_> reedip: we should be aligned with Sec groups
14:19:19 <reedip> SridarK_ : I am not sure if a user may be comfortable with a default FWG spawning up ...
14:19:30 <xgerman> well, it might not have rules…
14:20:07 <yushiro> 'Default FWG would be overriden by the User specified FWG (pre RBAC)'
14:20:20 <reedip> IMHO, default fwg is a good option, but configuring it from fwaas.conf seems more comfortable
14:20:34 <reedip> so that the user knows whats gonna happen...
14:20:37 <chandanc_> the current SG defaut group allows icmp, dhcp and dns , although it look not configurable
14:20:39 <vks1> reedip: +1
14:21:01 <yushiro> chandanc_, yes, hard coded.
14:21:09 <reedip> chandanc_ yes, it does... but then the user has to change it if they want something new
14:21:10 <chandanc_> yes,
14:21:31 <vks1> vks1: IMHO, it makes more sense if user has control over that
14:21:32 <reedip> all I am saying is , lets have this configurable in the config file, otherwise the idea is good...
14:22:05 <yushiro> OK, initially, we should follow a same behavior to default SG( default rule is hard code, a user can update any rules for default fwg)
14:22:08 <chandanc_> but without dhcp things like cloud-init will not work, so we have to be care full
14:22:16 <SridarK_> reedip: are u thinking just an enable/disable knob for default FWG ?
14:23:15 <reedip> SridarK_ exactly, just default_fwg=True in fwaas.ini /fwaas.conf ( that reminds me , ihar had a bug for FwaaS to load configurable elements using config file )
14:23:39 <SridarK_> We will also need to consider whether SG is present or not ( if someone has set the noop driver)
14:23:39 <reedip> User would know what they are doing and expect everything they want
14:23:47 <yushiro> chandanc_, +1.  we should not block for DHCP packet.
14:25:03 <xgerman> if we make a knob in the configuration file we end up with two knobs…
14:25:11 <reedip> 2 knobs
14:25:12 <reedip> ??
14:25:15 <SridarK_> i think this is a fair point - lets look at the different possible scenarios (SG only) (SG + L2 FWaaS) (L2 FWaaS only)
14:25:24 <xgerman> because off means the same as a FWG without rules
14:25:46 <SridarK_> and make sure we dont create a situation where the user paints themselves into a corner
14:26:03 <yushiro> SridarK_, +1
14:26:09 <reedip> lets take it to the ML /openstack-fwaas ....
14:26:13 <chandanc_> xgerman, does no rule mean no traffic ?
14:26:22 <xgerman> also if you do off in the config and you want to apply default after the act you can't
14:26:36 <reedip> SridarK _ : its easier to have the On Off Switch now than to have a default implementation and then making it On/Off Later :)
14:26:54 <xgerman> chandanc_ then we make an allows-all ruke
14:26:57 <reedip> from config point of view... actual implementation, whole different ballgame
14:27:02 <SridarK_> xgerman: reedip: both good points
14:27:14 <SridarK_> lets take this offline
14:27:15 <reedip> xgerman : Openstack has rukes ??? :D
14:27:23 <SridarK_> may be some potential scenarios
14:27:25 <xgerman> rules
14:27:40 <yushiro> OK, let's discuss more on ML
14:27:55 <SridarK_> possibly amongs fwaas folks first
14:27:55 <reedip> ruke is a combination of Rock and Rule :D
14:28:01 <yushiro> SridarK_, +1
14:28:03 <xgerman> ;-)
14:28:03 <SridarK_> :-)
14:28:12 <yushiro> next
14:28:15 <yushiro> Fix "public" attribute behavior
14:28:23 <yushiro> #link https://review.openstack.org/#/c/424534/
14:28:56 <yushiro> Sorry, I didn't ask Armando/Kevin what word to use shared/public.
14:29:00 <SridarK_> yushiro: yes where does this stand
14:29:03 <SridarK_> yushiro: ok
14:29:13 <yushiro> I'll ping them!!
14:29:19 <SridarK_> ok
14:29:21 <yushiro> Neutron-lib adoption: https://review.openstack.org/#/c/421472/
14:29:42 <yushiro> reedip, Is it any update?
14:29:49 <reedip> waiiit.....
14:30:09 <yushiro> OK
14:30:19 <reedip> I lost the damn page
14:30:39 <reedip> Ok .. https://review.openstack.org/#/q/status:open+project:openstack/neutron-fwaas+message:%22lib%22 has some patches for neutron-lib
14:30:56 <reedip> the above patch has a neutron-lib dependency , I am resolving that
14:31:06 <reedip> but other patches are a go for review
14:31:08 <amotoki> note that 'public' and 'shared' are different terms. If what in your mind is to share something with other projects, it would be 'shared' or resource under 'rbac'
14:31:35 <reedip> amotoki: and what can be meant by public?
14:32:00 <yushiro> amotoki, wow, thanks for your info.
14:32:28 <amotoki> reedip: honestly we don't have a specific definition for 'public'. In my understanding, it can be used in a context of 'router:external'.
14:32:39 <reedip> yushiro : similar to what I was taking about for network :)
14:32:50 <amotoki> in other contexts, IMO it is better to use 'shared' or 'rbac' context.
14:32:52 <reedip> amotoki: that would be a different concept
14:33:07 <SridarK_> amotoki: thx
14:33:17 <reedip> but stil amotoki: thanks for your update :)
14:33:18 <SridarK_> so it seems we should be using shared
14:33:30 <reedip> YeeeY !!!
14:33:31 <yushiro> SridarK_, I agree.
14:33:53 <SridarK_> at least in our context the intent is to make it available across other projects
14:34:21 <yushiro> So, we need to modify from 'public' to 'shared'..
14:34:28 <amotoki> anyway we can confirm what kevin/armando think
14:34:32 <SridarK_> yushiro: yes it seems :-(
14:34:47 <yushiro> amotoki, will do!!
14:34:55 <yushiro> OK, next
14:34:59 <reedip> yushiro : can you do that in the same patch ? And lets ask armax/kevinbenton in neutron channel
14:35:12 <amotoki> there is no attr named as 'public' :)
14:35:13 <reedip> yushiro: all, please also go through  https://etherpad.openstack.org/p/neutron_lib_fwaas_punchlist
14:35:30 <reedip> I have updated the etherpad with the current status of lib migrations
14:35:50 <reedip> will do it again tomorrow morning , but meanwhile some reviews are open for you guys
14:36:01 <yushiro> reedip, OK, thanks.
14:37:04 <yushiro> Create FWaaS driver for OVS firewalls https://bugs.launchpad.net/neutron/+bug/1627785
14:37:04 <openstack> Launchpad bug 1627785 in neutron "[RFE] Create FWaaS driver for OVS firewalls" [Wishlist,Confirmed] - Assigned to Nate Johnston (nate-johnston)
14:37:16 <yushiro> I think chandanc_ talked about that before.
14:37:21 <reedip> yushiro : isnt this taken care by chandanc_ 's patch ?
14:37:30 <chandanc_> yes
14:37:37 <yushiro> Yes, so it's skippppp
14:37:41 <reedip> +1
14:37:57 <yushiro> * Horizon support
14:38:03 <yushiro> SarathMekala, here?
14:38:13 <SarathMekala> yes yushiro
14:38:18 <SarathMekala> Hi all
14:38:37 <reedip> ~o~
14:38:55 <yushiro> SarathMekala, hi.  do you have any update?
14:39:18 <SarathMekala> I was travelling a bit and am back now
14:39:31 <SarathMekala> will send across some update by end of this week
14:39:36 <SridarK_> SarathMekala: it will be great if we can have Horizon support in before the summit in May
14:39:50 <SarathMekala> as of now.. I have horizon dashboard ready
14:39:50 <xgerman> yep, it demos well
14:39:55 <SridarK_> SarathMekala: it will be good to do a demo with Horizon
14:40:01 <SridarK_> xgerman: yes exactly
14:40:11 <SarathMekala> sure SridarK_ .. I will get some progress on this
14:40:17 <yushiro> SarathMekala, OK and I hope you spend good trip :)
14:40:17 <SridarK_> SarathMekala: thx
14:40:38 <yushiro> next: Tempest needs more coverage
14:41:14 <yushiro> Is there any update?  reedip ?
14:41:27 <reedip> no updates... the fullstack is pending at my end
14:41:48 <SridarK_> yushiro: i am looking at the tempest as well
14:41:55 <SridarK_> will get some traction on this
14:42:09 <yushiro> SridarK_, good.  thank you.
14:43:00 <yushiro> We talked fwaas v2's patch before.  Therefore, let's skip this topic.
14:43:12 <yushiro> #topic Stadium Compliance
14:43:55 <reedip> yushiro: fullstack, neutron-lib has been covered already
14:44:06 <yushiro> reedip, you just looking fullstack test and lib, OK
14:44:08 <reedip> OSC has also been merged
14:44:17 <yushiro> Yes.
14:44:41 <reedip> yushiro : is there anything else from compliance perspective ?
14:45:22 <yushiro> reedip, i think totally OK but still concern about horizon.
14:45:31 <reedip> JFYI : armax's patch for Stadium : https://review.openstack.org/#/c/445680/2
14:45:38 <yushiro> SridarK_, xgerman Is horizon required for stadium?
14:45:46 <xgerman> don’t think so
14:45:55 <SridarK_> +1
14:46:14 <yushiro> xgerman, OK, thanks :)
14:46:25 <yushiro> reedip, so, it's good status now!
14:46:34 <yushiro> #topic performance improvement for v2
14:46:53 <reedip> yushiro :D
14:47:02 <yushiro> Is Tu here?
14:47:10 <hoangcx> the proposed solution has been brought up for discussion in last week neutron driver team meeting
14:47:18 <hoangcx> #link http://eavesdrop.openstack.org/meetings/neutron_drivers/2017/neutron_drivers.2017-03-16-22.02.log.html#l-106
14:47:34 <hoangcx> https://bugs.launchpad.net/neutron/+bug/1630832
14:47:34 <openstack> Launchpad bug 1630832 in neutron "[RFE] FWaaS: Using Netlink instead of conntrack-tools to improve performance" [Wishlist,Triaged] - Assigned to Ha Van Tu (tuhv)
14:47:59 <hoangcx> They agreed to adopt the solution.
14:48:16 <yushiro> hoangcx, Good news!!
14:48:24 <hoangcx> So, Could you cores please help for review the remaining patches?
14:48:51 <hoangcx> 1. Make conntrack driver be configurable: https://review.openstack.org/#/c/433598/
14:49:01 <hoangcx> 2. Netlink library with full UTs and functional tests: https://review.openstack.org/#/c/437311/
14:49:09 <hoangcx> 3. Netlink driver to manage conntrack entries: https://review.openstack.org/#/c/438445/
14:49:50 <xgerman> k
14:49:51 <yushiro> hoangcx, Definitely I will.  So sorry in these month (cannot review so much) :(
14:49:52 <hoangcx> That's all status for this week. Just waiting for review
14:49:58 <reedip> hoangcx : Do you have some marker ( i.e. common topic ) for the above patches ?
14:50:01 <SridarK_> hoangcx: thx will look
14:50:12 <annp> hi all, for netlink solution I'd like make netlink conntrack more maintainable by support netlink conntrack to pyroute2 than use libnetfilter ctypes. What do you think?
14:50:12 <yushiro> reedip,  +1 good idea.
14:50:27 <reedip> hoangcx : best keep the same topic for all your patches, so its easier to find them :)
14:50:55 <hoangcx> reedip, Actually, It does
14:51:08 <hoangcx> topic "bug/1664294"
14:51:22 <reedip> oh ok ... then we can search based on that
14:52:21 <yushiro> annp, ok, but could you share more info after openstack-fwaas?
14:52:45 <annp> yushiro, Ok.
14:52:53 <yushiro> #topic bugs
14:53:05 <yushiro> Launchpad(filtered by tag 'fwaas'): http://urx2.nu/C7UI
14:53:56 <yushiro> Is there some bugs that you need to talk to?
14:54:00 <SridarK_> yushiro: so last week reedip, xgerman and vks1 did a quick triage of some bugs
14:54:19 <SridarK_> quite a few may not be valid - still need to run thru some more
14:54:29 <SridarK_> will plan to clean it up this week
14:54:42 <reedip> Sridark_ some patches were marked new by kevinbenton's script today
14:54:46 <reedip> so need to revisit them
14:54:54 <SridarK_> reedip: yes
14:55:08 <yushiro> SridarK_, Oh, OK. Maybe I put +2 for them :)
14:55:21 <reedip> yushiro : Just a head up , you are also required for the Common Classifier meeting happening in #openstack-meeting, once FWaaS meeting finishes...
14:55:22 <yushiro> thanks vks1 and xgerman.
14:56:09 <reedip> SridarK_ Yushiro and I are also looking into the common classifier from FWaaS pov, so therefore he may be required there  :)
14:56:27 <SridarK_> reedip: yes that will be useful
14:56:38 <yushiro> reedip, aaaa!! yes, it is.
14:56:52 <yushiro> #topic Open Discussion
14:56:54 <reedip> xgerman is there as well :)
14:56:59 * igordcard invites all to peek at the ccf spec
14:57:01 <xgerman> ;-)
14:58:01 <SridarK_> so it will be good to get some level of the L2 support and Horizon in place before the summit
14:58:14 <SridarK_> will be good to demo both and get feedback from potential users
14:58:27 <reedip> SridarK_ : I wanted to have your opinion about a small bug,... https://bugs.launchpad.net/neutron/+bug/1623099
14:58:27 <openstack> Launchpad bug 1623099 in neutron "FWaaSv2 - 'firewall_policy_id' is missing in firewall_rule response body" [Low,New]
14:58:27 <chandanc_> SridarK_, +1
14:58:28 <SridarK_> we have about 6 weeks
14:58:49 <SridarK_> reedip: ok yes
14:58:59 <SridarK_> lets discuss offline
14:59:07 <yushiro> Yes.  In summit, we need to discuss some schedule
14:59:14 <reedip> SridarK_ : ok , fwaas channel after the meeting
14:59:16 <SridarK_> reedip: this is an issue defn
14:59:24 <SridarK_> 1 min
14:59:45 <yushiro> #endmeeting