14:00:33 #startmeeting fwaas 14:00:34 Meeting started Tue Apr 11 14:00:33 2017 UTC and is due to finish in 60 minutes. The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:35 o/ 14:00:35 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:38 hi all O/ 14:00:38 The meeting name has been set to 'fwaas' 14:00:46 #chair SridarK yushiro xgerman njohnston 14:00:46 Current chairs: SridarK njohnston xgerman yushiro 14:00:50 hi 14:00:59 hi 14:01:12 Hello all 14:01:25 SridarK, OK, I'll do it today :) 14:01:28 +1 14:01:37 #topic Pike 14:01:41 yushiro: yes ur turn :-) 14:02:07 Discussion with Kevin - go with OVS rather iptables for L2 as neutron will move to OVS support 14:02:19 #link https://review.openstack.org/361071 14:02:49 sorry. I missed. https://review.openstack.org/#/c/323971/ 14:02:59 and https://review.openstack.org/#/c/447251/4 14:03:13 chandanc_, it's your turn :) 14:03:43 I have been doing some tests with the co existance of SG and FWG 14:04:22 col 14:04:27 cool 14:04:29 OK 14:04:29 as of last update i was able to run the SG and FWG l2 driver side by side 14:04:37 Nice! 14:04:42 http://paste.openstack.org/show/606135/ 14:04:47 some output 14:05:11 Thanks for your link 14:05:27 the issue now is to merge the two so that the packet is accepted only when both SG and FWG allows it 14:05:39 chandanc_: could u maybe do a quick walk thru of the paste ? 14:06:00 the driver (both SG and FWG) use 5 tables each 14:06:05 sure 14:06:53 1 sec plz 14:07:01 chandanc_: np 14:07:14 https://review.openstack.org/#/c/447251/4/neutron_fwaas/services/firewall/drivers/linux/l2/openvswitch_firewall/constants.py 14:07:15 if u want to put out a google doc later on that is fine too 14:07:33 i will send a mail and put up a doc 14:07:43 sounds good. 14:08:10 ok now the significance of the tables is more clear with ur link ^^^ 14:08:19 yes lets take it offline 14:08:21 thx chandanc_ 14:08:29 if you look at the constants you will see that 5 tables are used by the driver, ingress base, ingress fw rules, egress base, egress fw rules and the accept table 14:08:41 (41, 42, 43, 51 and 52) 14:09:11 chandanc_: yes that helps 14:09:16 the FWG uses series tables 40 to 50 series 14:09:18 yes 14:09:33 and 70 to 80 series is used by SG 14:10:07 now we have to chain these tables so that the packet flows though both SG and FWG before being accepted 14:10:28 there are some overlap in the rules that me be optimized 14:11:07 but by the table allocations the separation is clean 14:11:08 but at the same time we have to take care to retain the possibility of running these drivers independently 14:11:17 yes SridarK 14:11:59 we may have case when fwaas is on enabled or SG is enabled with iptables 14:12:20 +1 14:12:21 we have to decide which of the above combination we will support 14:12:59 i wonder if we need to do that 14:13:01 I am still not sure if kevinb meant all of Neutron was going OVS or just FWaaS 14:13:10 i could make some changes to chain the tables, but will need some more playing around 14:13:12 if it’s the former it will cut down on combinations 14:13:13 xgerman: i believe it was neutron 14:13:18 yep 14:13:32 that’s my beleive as well but it’s not documented anywhere 14:13:38 sure SridarK, if we can reduce the combination it will help 14:13:52 so, 1: fw=ovs, sg=ovs 2:fw=ovs, sg=iptables 3:fw=iptables, sg=ovs 4:fw=iptables, sg=iptables 14:14:19 xgerman: and i recall u also raised this at the PTG for backwards compat esp if we have someone who is running sg with iptables and may not want to make the jump 14:14:31 yes 14:14:42 and he said there might be a “hybrid” 14:14:50 but they also had migration scripts 14:14:54 I will send a detailed mail on the current understanding and the approach i am taking to make the co existance work 14:15:14 I am ok with not supporting iptables SG 14:15:27 in our first release 14:15:27 if we do need to support a sort of hybrid that can be pass 2 14:15:30 2 and 3 is 'hybrid' as xgerman said. So, we don't care about that. 14:15:32 xgerman: +1 14:15:45 xgerman, +1 14:16:12 xgerman, +1 14:16:32 yushiro: +1 14:16:41 i will confirm after testing though :) 14:16:45 chandanc_: that is good progress thx 14:16:46 I agree, +1 14:17:02 So, focusing "1." now, right? 14:17:03 thanks SarathMekala 14:17:21 1 is my focus now, yushiro 14:17:29 chandanc_, OK. Thanks. 14:18:01 OK, next. 14:18:03 #link https://review.openstack.org/#/c/323971/ 14:18:30 Paddu try to add more UTs in this patch. 14:19:05 I'm just testing this patch with default fwg + chandanc_ 's ovs driver patch. 14:19:10 sorry got disconnected.. 14:19:32 yushiro, thanks for the pep8 fix 14:19:52 I found that current l2-agent is missing to update 'status' for default firewall_group. 14:20:48 So, default fwg is 'PENDING_CREATE'. 14:21:02 chandanc_, np 14:21:35 oops, it's not default fwg turn. sorry. What I'd like to say is,, 14:22:33 In L2-agent side, (1) it should be updated 'status' of fwg and (2) apply default fwg for L2 port. 14:22:45 I'm trying to fix (1) and (2) 14:24:20 yushiro: yes on the PENDING_CREATE - this may require some rework as the workflow is quite different on L2 14:24:20 +1 for (2) 14:24:27 o/ 14:24:57 SridarK, OK. And we need to determine what is 'active' for L2. 14:25:41 yes 14:25:51 yushiro: yes this area may need some rework in general too but lets keep it simple for now to get L2 support in 14:26:18 SridarK, sure. simple means .... INACTIVE: no ports are associated, ACTIVE: at least 1 port is associated 14:26:22 indeed I think we can work with Active/Error right now 14:26:28 yushiro: yes exactly 14:26:44 make sure to have ERROR 14:26:45 guess I will see the logs to understand whats happening :) 14:26:48 OK, thanks SridarK and xgerman 14:26:58 Next 14:27:10 Fix "public" attribute behavior: #link https://review.openstack.org/#/c/424534/ 14:27:30 oh, sorry. I forgot to update it. 14:28:04 vks1 patch has been merged and this patch needs minor change. 14:28:28 #link https://review.openstack.org/#/c/451705/ ? 14:28:54 SridarK, yes. this is for vks1 14:29:22 aha, 14:29:31 good we finally fixed this - somehow early on i think we misunderstood and went thru a lot of unnecessary work :-) 14:29:33 I think https://review.openstack.org/#/c/424534/3 is not necessary 14:29:55 because we can filter by using 'shared' as usual. 14:30:01 +1 14:30:11 yushiro: hi 14:30:12 Yep that patch may not be required 14:30:21 OK, I'll abandone this patch. 14:30:24 but I saw that policy.json has both public and shared 14:30:26 vks1, hi 14:30:28 we may need to change that 14:30:28 yushiro: yes it seems so 14:30:34 reedip_: good point 14:30:42 reedip_, yes, exactly. 14:30:57 vks1: do u want to pick that up ? 14:31:03 vks1: and thanks 14:31:12 I was thining of removing that , but then I didnt know why we kept it in the first place 14:31:20 for bringing shared back to the limelight :-) 14:31:35 ;-) 14:31:45 https://github.com/openstack/neutron-fwaas/blob/master/etc/neutron/policy.d/neutron-fwaas.json 14:31:54 There are still 'public' 14:32:09 SridarK: sure 14:32:11 yeah ... 14:32:22 vks1, Sounds good! Thank you. 14:32:23 we need to ditch that yushiro 14:32:49 reedip_: +1 14:32:56 reedip_, yeah ~~ 14:33:01 lemme put up a patch, if you dont mind :) 14:33:15 reedip_: yes pls :-) 14:33:25 pls 14:33:27 :) 14:33:30 done 14:34:07 OK, next 14:34:09 Neutron-lib adoption: https://review.openstack.org/#/c/421472/ 14:34:24 reedip_, it's your turn :) 14:34:42 I just came home :D 14:35:02 Oh, good :) 14:35:22 well, boden has published some patches for neutron-lib, I am following those changes up as the latest lib version has been released (1.4.0) 14:35:46 OK. 14:35:48 for the patch which njohnston had put up , there are some other dependent patches which I have published 14:36:08 ok, sounds good 14:36:14 The only thing which was worrying me was that the commmit ID seems to be wrong in this patch, therefore no tests are running 14:36:22 I will fix that in a minute 14:36:31 great. 14:36:36 +1 14:37:02 next is ... Horizon support. 14:37:27 Is sarathmekala here? 14:37:35 <_sarathmekala_> yeah 14:37:55 <_sarathmekala_> I had a discussion with Rob Creswell 14:38:15 <_sarathmekala_> and generated the plugin structure 14:38:22 <_sarathmekala_> he is ok with the changes 14:38:48 <_sarathmekala_> the conclusion is that we can create our own structure inside it 14:39:11 <_sarathmekala_> so.. in the benefit of time, I am working on the old model for now 14:39:14 yeah, there was still some discussion how to align repos but consensus is building for each project gettign their own 14:39:40 <_sarathmekala_> xgerman, ok 14:39:48 _sarathmekala_: ok will it be a big jump to get things aligned to commit ? 14:39:59 from the old model that is ? 14:40:02 <_sarathmekala_> SridarK, it should not be 14:40:23 <_sarathmekala_> the changes mostly will be align with that structure 14:40:29 <_sarathmekala_> functionality should be the same 14:40:51 _sarathmekala_: ok whichever is easier for u 14:40:53 <_sarathmekala_> I have fixed the issues i was facing with Rules tab 14:41:09 it would be ideal to have the code changes go in by summit time 14:41:17 _sarathmekala_: You can use the old structure if you like. It really doesn't matter either way, but the generated one is perfectly valid. 14:41:29 <_sarathmekala_> thanks robcresswell 14:41:30 but plan B is that we can have some code that can be demo ready 14:41:42 Hey just a minute 14:41:46 If you run into any bugs or need some reviews before Boston, ping me 14:41:48 <_sarathmekala_> yes SridarK, I am targetting for that 14:41:53 I'll try and fit some time in :) 14:42:03 _sarathmekala_: ok 14:42:04 <_sarathmekala_> sure robcresswell, I may need some help during integration 14:42:07 robcresswell: thx :-) 14:42:11 goooood :) 14:42:12 +1 14:42:25 <_sarathmekala_> I more or less done with Rules tab 14:42:32 <_sarathmekala_> will send across a patch tomorrow 14:42:49 sorry for interruption , I think amotoki is discussing http://lists.openstack.org/pipermail/openstack-dev/2017-April/115200.html , which is regarding dashboard support for neutron stadium project 14:42:49 <_sarathmekala_> if anyone has bandwidth they can download and give it a try 14:43:21 reedip_: yes indeed 14:43:44 i think we are fairly ok with either (a) or (c) options 14:43:45 <_sarathmekala_> reedip_, thanks for the link.. will go through it 14:43:59 but wanted to think this thru a bit 14:44:01 That is long term solution, right? 14:44:27 I would recommend A. It fits best with Horizons plugin model, IMO. 14:44:49 robcresswell: ok and also release seems to prefer it too 14:45:22 SridarK: Yep :) 14:45:41 I see. 14:46:10 <_sarathmekala_> thats it from my side 14:46:17 thanks, _sarathmekala_ 14:46:37 #topic FWaaS v2 14:46:49 Please discuss only default fwg. 14:47:09 We're discussing in mail for that. 14:47:36 Last week I sent e-mail about default fwg. 14:48:18 Can we start step by step from simple implementation? 14:48:48 yushiro: yes agreed 14:48:53 +1 yushiro 14:49:00 let me also respond to u on email 14:49:12 i had some concerns too 14:49:24 yushiro : I agree with the implementation in small amounts 14:49:31 SridarK, me too. 14:50:21 OK, so, let's skip configurable option(enable/disable) for early impl. 14:50:51 wow, 10 minutes left ! 14:51:04 #topic Stadium Compliance 14:51:39 reedip_, Is there some update or want to report? 14:52:27 OK, next 14:52:28 #topic performance improvement for v2 14:53:09 I got some comments from reedip_ and Cedric and also pushed new code based on that 14:53:21 will take a look. 14:53:23 waiting for more reviews atm... 14:53:45 thank you all for your reviews 14:53:59 let's review for them. 14:54:02 cuongnv: i also started looking at it and we should get this in quickly 14:54:21 SridarK, yeah 14:54:37 #topic bugs 14:54:50 SridarK : can someone merge the Pike Etherpad contents with the weekly meeting etherpad, so that we can have all information in the same page 14:54:50 I think a lot of contents for the stadium is in both the etherpads so things may get lost 14:55:17 reedip: ok agreed 14:55:42 sorry, just joined, network issue 14:55:56 reedip_: yes agreed on the etherpads 14:56:07 it's reasonable ;) 14:56:09 #topic Open Discussion 14:56:16 sorry for intruppt. 14:56:31 SridarK, chandanc_ I'd like to discuss with you about Boston summit presentation. 14:56:43 just for note: following patches are up for review in neutron-lib for FWaaS : https://review.openstack.org/455422 , https://review.openstack.org/451229 14:56:53 It’s still not clear if we have budget 14:57:12 yushiro: yes lets do that - we can come up with a first pass and get reviews from others as well 14:57:22 xgerman: oh really i hope it comes thru 14:57:27 +1 SridarK 14:57:37 I just got "GO sign" from my manager. I can go to Boston 14:57:48 awesome!! 14:57:52 I will be there 14:58:00 I wont be there :) 14:58:11 :) 14:58:15 I probably might get married by then :P 14:58:19 reedip_: and u have more important things :-) 14:58:24 congrats!! 14:58:28 yushiro: great 14:58:37 xgerman : thanks 14:58:40 reedip: congrats 14:58:47 reedip_, congrats! 14:58:50 We may also think about team meetup at Forum if possible :-) 14:58:51 reedip_: if u land up at Boston, u will hear it about for the rest of ur life :-) 14:58:59 :) 14:59:01 I'll presentation with Monasca for logging feature in Monday. In this presentation, I'll inform audience about fwaas session :) 14:59:03 <_sarathmekala_> reedip_, Congrats 14:59:15 reedip_, congrats!! 14:59:15 Congrats reedip_ 14:59:17 hoangcx: +1 14:59:27 _sarathmekala, yushiro, chandanc_ cuongnv ,annp : thanks ... SridarK : yeah I know ... ! 14:59:47 also FYI I am running for the TC so make sure to vote 14:59:55 OK, let's keep on discussing openstack-fwaas if possible about summit. 14:59:58 xgerman: yes will do 15:00:05 thx 15:00:10 xgerman : Oh great .. yeah we will do :) 15:00:19 xgerman, wow!! great 15:00:20 #endmeeting