#openstack-meeting-4 log

14:01:13 <xgerman> #startmeeting fwaas
14:01:14 <openstack> Meeting started Tue Apr 25 14:01:13 2017 UTC and is due to finish in 60 minutes.  The chair is xgerman. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:18 <openstack> The meeting name has been set to 'fwaas'
14:01:31 <xgerman> #chair SridarK yushiro
14:01:31 <openstack> Warning: Nick not in channel: SridarK
14:01:33 <openstack> Warning: Nick not in channel: yushiro
14:01:33 <chandanc> hello
14:01:34 <openstack> Current chairs: SridarK xgerman yushiro
14:01:42 <xgerman> #chair SridarK_
14:01:43 <openstack> Current chairs: SridarK SridarK_ xgerman yushiro
14:01:58 <xgerman> ok, whose turn is it this week
14:02:00 <xgerman> ?
14:02:12 <SridarK_> xgerman: i believe it is u :-)
14:02:21 <xgerman> ok
14:02:28 <xgerman> #topic announcements
14:02:51 <xgerman> PTL elections finished… they have the results somewhere
14:03:20 <xgerman> OpenStack summit is in two weeks or so!!
14:04:01 <xgerman> OSIC closed (https://t.co/dhFAyhOVy5)
14:04:16 <SridarK_> xgerman: :-(
14:05:00 <xgerman> yeah, things always get chaotic when I am on PTO :-(
14:05:14 <xgerman> #topic Pike
14:06:05 <xgerman> Pike-2 is 6/12 ~6 weeks
14:06:32 <xgerman> How are things shaping up?
14:06:37 <xgerman> L2 support/OVS?
14:07:02 <chandanc> I had posted the documents on the ovs changes
14:07:23 <chandanc> i hope people could go through them
14:07:44 <chandanc> Was able to setup the testbed and do the required code changes
14:07:59 <reedip> Hi
14:08:00 <chandanc> traffic testing is pending though
14:08:02 <SridarK_> chandanc: sorry i am really swamped on other things at work - but will definitely review it
14:08:18 <chandanc> SridarK_, no problem, was busy myself too
14:08:26 <xgerman> yeah, I will have a look as well
14:08:34 <chandanc> code changes are actually much simpler
14:08:44 <SridarK_> chandanc: that is good
14:08:47 <xgerman> we really need to work on our review velocity — I see kevinb and others pitching in a lot though ;-
14:08:47 <chandanc> i will push up a patch by the  week
14:08:48 <xgerman> )
14:09:02 <xgerman> chnandanc this is grand
14:09:16 <SridarK_> xgerman: yes +1 - i have become very slow but after next week shd be back to usual
14:09:17 <chandanc> ya, but testing will be a major task
14:09:37 <SridarK_> chandanc: yes esp interop
14:09:40 <SridarK_> with SG
14:09:45 <xgerman> +1
14:09:56 <chandanc> one more thing to mention, i have introduced a flag for coexistance
14:10:21 <SridarK_> chandanc: meaning if u see the SG driver loaded ?
14:10:30 <chandanc> we will need some way to figure out if the FWAAS driver is in standalone or coexistance mode
14:10:33 <yushiro> Hi. Sorry for late.
14:10:39 <xgerman> n.p.
14:10:39 <chandanc> ya
14:10:56 <yushiro> I just arrived at my home.
14:10:57 <chandanc> currently i am setting it manually
14:10:59 <xgerman> chandanc worst case we use a configuration flag
14:11:12 <SridarK_> +1
14:11:16 <chandanc> ya, was thinking of that
14:11:33 <SridarK_> eventually we may need some basic infra to see what features are loaded
14:11:42 <SridarK_> but now i think it is just 2
14:11:53 <SridarK_> or rather it will be 2
14:12:15 <chandanc> i dont want that to be in the driver, but may be the agent can pass the config option, but i am ready to change driver too if need be
14:12:47 <cuongnv> o/
14:12:51 <SridarK_> chandanc: yes that is defn a possibility
14:13:05 <SridarK_> but it may be tricky in terms of ordering
14:13:11 <SridarK_> hmm no
14:13:16 <chandanc> please, have alook at the spread sheet and provide feedback
14:13:24 <SridarK_> may be we can glean that off neutron.conf
14:13:35 <xgerman> likely
14:13:46 <chandanc> currently i am forcing FW to be loaded before SG
14:13:54 <chandanc> using table numbers
14:14:05 <xgerman> k, we can make that our assumprion
14:15:03 <chandanc> i think the details will be clear if you have a look at the excel sheet
14:15:13 <SridarK_> chandanc: ok +1
14:15:44 <xgerman> k
14:15:55 <chandanc> thanks SridarK_ xgerman
14:16:12 <xgerman> with yushiro we can chat about the default fwg
14:16:28 <yushiro> ya
14:16:39 <xgerman> I think it’s shaping up nicely
14:17:23 <reedip> hi
14:18:03 <yushiro> xgerman, thanks.
14:18:14 <yushiro> I'm locally updating in L2-agent side.
14:18:32 <yushiro> regarding default fwg,  I'm now writing UTs.
14:18:55 <xgerman> nice
14:18:57 <SridarK_> yushiro: cool, we will have some impact on the plugin side too
14:20:21 <yushiro> SridarK_, yeah.  Now, l2-agent side includes bug for deleting/updating.
14:20:25 <SridarK_> When a VM with a FWG is deleted
14:20:26 <reedip> I just came here to drop a quick message - https://review.openstack.org/#/c/455422/ : Adds protocols for FWaaS which can be further used in Common Classifier Model
14:20:26 <reedip> - https://review.openstack.org/394619 : Adds the full stack framework, tests can be added into it later on.
14:20:26 <reedip> - https://review.openstack.org/#/c/440331/7 : dependent om 455422(1)
14:20:51 <SridarK_> reedip: cool u really should not be here !! ;-)
14:21:18 <reedip> I know , she switched my PC off , I asked for 10 min though
14:21:28 <SridarK_> reedip: ;-)
14:21:34 <xgerman> reedip did you see kevinb’s comment on https://review.openstack.org/394619?
14:21:59 <xgerman> He says we should run some experimental gate frist
14:22:02 <xgerman> first
14:22:06 <reedip> leaving , ciao
14:22:08 <yushiro> reedip, wow, you're holiday now?  Thanks for your notification.
14:22:18 <xgerman> thanks
14:22:44 <xgerman> but two out of three are stuck — so not sure if we should drive while reedip is away or wait…
14:23:08 * xgerman sends memory by pidgeon
14:23:19 <SridarK_> :-)
14:23:39 <SridarK_> xgerman:  i think we can hold off - we probab have our focus with L2
14:23:40 <yushiro> OK, so, in l2-agent, I'd like to reach out Paddu about that.  This patch should be shaped more.
14:23:58 <xgerman> SridarK_ +1 - that’s what I am thinking as well
14:24:04 <SridarK_> yushiro: yes i think we may have a small issue on that front
14:24:17 <outofmemory> xgerman : I will ping you later for that :)
14:24:28 <xgerman> k
14:24:59 <yushiro> SridarK_, yeah.  in my local patch,  if vm port is created, default fwg can be associated and change into 'ACTIVE'.
14:25:49 <xgerman> nice
14:25:59 <yushiro> In this timing, in plugin layer, a validation between fwg and ports will be executed.
14:26:22 <yushiro> Current implementation,  it is validated between  context.tenant_id and tenant_id for port.
14:26:27 <SridarK_> yushiro: when the port gets deleted - we may be ok in terms of cascade delete on the port resource so will remove the row in the FWG association table
14:26:39 <SridarK_> yushiro: +1
14:27:26 <yushiro> However, context will be changed into admin priviledge, so it should be validated tenant_id between fwg and port.
14:28:19 <yushiro> SridarK_ has commented in plugin source code about that :)
14:28:36 <yushiro> OK, anyway, I'll update patch and please take a look.
14:28:49 <xgerman> sounds good
14:28:59 <SridarK_> yushiro: ok we may have some corner case - but we can deal that next
14:29:41 <yushiro> folks,  here is procedure for default fwg + l2-agent + ovs firewall driver:https://etherpad.openstack.org/p/fwaas-v2-l2-agent
14:29:56 <SridarK_> yushiro: thanks
14:29:57 <yushiro> But xgerman sent us much more better procedure :)
14:30:16 <xgerman> well, I didn’t work it out — just something to think about…
14:30:43 <SridarK_> xgerman: yes makes sense
14:31:00 <yushiro> xgerman, In fact, I'm afraid of applying patch in building devstack :)  But it is safety than doing db migration.
14:32:10 <xgerman> I do it all the time — but devstack is  fickle
14:32:56 <xgerman> Last items are Horizon support  and CL
14:32:58 <xgerman> I
14:33:08 <yushiro> SridarK_, xgerman That's all for l2-agent / default fwg side.
14:33:17 <xgerman> thanks
14:33:40 <SarathMekala> on the Horizon side, I am able to get the Policies tab fully functional now
14:33:48 <xgerman> yeah!!
14:33:49 <SarathMekala> with this policies and rules tabs are ready
14:33:51 <SridarK_> SarathMekala: great
14:33:59 <SarathMekala> I am working on the firewall tab
14:34:15 <SarathMekala> I got swamped with work last week and the progress was a lil slow
14:34:35 <SarathMekala> I will ensure that it gets ready by next week
14:34:48 <SarathMekala> I have a few questions in between
14:34:51 <xgerman> I think we still want to demo that in BOS?
14:35:07 <amotoki> hi, one question on fwaas-dashboard. it seems a right topic
14:35:07 <SridarK_> xgerman: +1
14:35:29 <SarathMekala> yes xgerman, by next week I meant our next weekly sync up
14:35:52 <SarathMekala> yes amotoki
14:36:01 <SarathMekala> whats your question?
14:36:19 <amotoki> hi, is anyone creating a repo of neutron-fwaas-dashboard?
14:36:41 <SarathMekala> I have created one
14:36:45 <yushiro> sorry, suddenly logged out from IRC.
14:37:06 <amotoki> SarathMekala: sounds nice. thanks
14:37:15 <SarathMekala> we are following the plugin model as suggested by Rob cresswell
14:37:30 <SarathMekala> ok.. thanks
14:37:32 <amotoki> I am planning to move FWaaS v1 stuff to the plugin too.
14:37:48 <amotoki> of course if you don't mind
14:38:12 <SarathMekala> sure.. the namespaces are different, so should not be a problem
14:38:47 <amotoki> i can review the plugin implementation too
14:38:53 <SarathMekala> sure amotoki
14:39:05 <SarathMekala> will add you to the reviewer list once I check in
14:39:10 <SarathMekala> I have a few questions regarding V2 firewall tab
14:39:37 <SarathMekala> should the user have the functionality to add/remove ports on the firewall table?
14:39:42 <xgerman> amotoki we are planning on sunsetting FWaaS-V1 towards the end of the R-release
14:40:33 <amotoki> xgerman: sounds good to me too :)
14:40:38 <yushiro> yes
14:41:10 <SarathMekala> yushiro, this is as a part of the action button
14:41:30 <SridarK_> SarathMekala: yes i think this would be right place to set the association
14:41:41 <SarathMekala> ok
14:41:52 <SridarK_> ingress policy, egress policy, port associations
14:41:55 <SarathMekala> this way we will end up with 6 actions
14:42:01 <SarathMekala> yes.. add and remove for them
14:42:18 <SarathMekala> and update and delete the firewall group actions
14:42:39 <yushiro> SarathMekala, yes.  But we should filter port candidate that not associated with any firewall_group.
14:42:56 <yushiro> SarathMekala, It's more kindly for a user.
14:43:15 <SarathMekala> yes
14:43:33 <SarathMekala> yushiro, if you have any pointers to the corresponding client methods it will save me some time
14:45:12 <yushiro> SarathMekala, OK.  create/update/delete/insert rule/remove rule/  and 1?
14:45:48 <SarathMekala> yushiro, i need the pointers on port association and disassociation
14:46:05 <SarathMekala> and if any filtering logic is available already
14:46:19 <yushiro> SarathMekala, aha, OK. I understood.  That's why you asked me last week :)
14:46:31 <SarathMekala> yes :)
14:46:45 <yushiro> it makes sanse.  6 actions.
14:46:51 <SarathMekala> I need to use the neutron client for all my api calls
14:47:28 <yushiro> neutron client?  v2 is only openstackclient.  neutron one is for v1.
14:47:42 <SridarK_> SarathMekala: if i understand correctly, u will have a drop down or list of valid ports (ie those that do not have FWG associated) for that tenant
14:48:02 <SridarK_> and the user can pick from that list of valid ports
14:48:11 <SridarK_> to associate with this FWG
14:48:11 <yushiro> SridarK_, +1.  Same project and not associated with any firewall_group.
14:48:22 <yushiro> as a candidate for association.
14:48:26 <xgerman> but if the user likes to change FWG?
14:48:29 <SridarK_> perfect
14:48:37 <SridarK_> xgerman: yes u read my mind
14:49:09 <SarathMekala> thanks SridarK_
14:49:22 <amotoki> SarathMekala: yushiro: it is a correct thing to use neutronclient as bindings
14:49:25 <SridarK_> on the update scenario - u will need to display the currently associated ports and other valid ports
14:49:46 <SridarK_> so u can remove associate ports here
14:49:55 <SarathMekala> allow multiple ports to be added at once right?
14:49:59 <SridarK_> then these ports can go to the valid pool
14:50:04 <SridarK_> SarathMekala: yes
14:50:17 <SridarK_> i am thinking u pick the ports
14:50:19 <yushiro> SridarK_, +1  for ex.  left side is currently associated,  right side is valid ports..
14:50:37 <SridarK_> SarathMekala: actually u can look at the FWaaSv1 dashboard for L3 port association
14:50:44 <SridarK_> it should be very similar
14:51:08 <xgerman> well, if we think of SG we should also allow picking vms?
14:51:14 <SarathMekala> ok SridarK_ will check it out
14:51:25 <yushiro> amotoki, you mean that 'actions' for horizon should be aligned with neutronclient one?
14:51:49 <xgerman> I think they should be aligned with a great user experience ;-)
14:52:00 <SridarK_> xgerman: i guess as a first step we will pick the neutron ports associated with the vms
14:52:02 <xgerman> Horizon/CLI target different types of users
14:52:05 <yushiro> xgerman, +1 :)
14:52:21 <xgerman> SridarK_ makes sense
14:52:24 <yushiro> SridarK_, I agree with you.
14:52:25 <amotoki> yushiro: horizon uses neutronclient bindings to talk with neutron. OSC fwaas plugin uses python bidngs
14:52:52 <yushiro> amotoki, aha, I see.  thank you.
14:53:37 <SarathMekala> thanks amotoki
14:54:12 <amotoki> if you have something to be improved in horizon side itself for FWaaS v2, I can help you.
14:54:24 <xgerman> 5 minute warning
14:54:32 <SridarK_> amotoki: thx as always
14:54:37 <SarathMekala> thanks amotoki .. I will keep you in loop
14:55:07 <yushiro> sorry for intruppt.
14:55:26 <yushiro> Did you discussed FWaaS v2 presentation in b
14:55:30 <yushiro> boston ?
14:55:47 <xgerman> not yet
14:55:48 <SridarK_> yushiro: not yet
14:55:54 <xgerman> #topic BOS
14:55:57 <SridarK_> maybe we can meet offline
14:56:06 <yushiro> SridarK_, Yes.
14:56:10 <yushiro> chandanc, Is it OK for you?
14:56:27 <chandanc> sure
14:56:41 <xgerman> #topic Open Discussion
14:57:37 <yushiro> SridarK_, xgerman I'll udpate API reference docs for supporting v1.  Thanks for your reply.
14:57:44 <xgerman> +1
14:57:49 <SridarK_> ok
14:57:53 <yushiro> SridarK_, did you see my e-mail?
14:57:59 <SridarK_> yes i did
14:58:01 <xgerman> we should mention that in BOS, too, to gather feedback
14:58:06 <SridarK_> will respond
14:58:10 <yushiro> yes.
14:58:26 <SridarK_> we can figure out a time to iron out the presentation
14:58:32 <SridarK_> for the summit
14:58:38 <chandanc> +1 SridarK_
14:58:51 <yushiro> yes.
14:59:09 <SridarK_> sorry i have been very swamped so been difficult to keep up - after next week things shd be back to normal
14:59:27 <xgerman> #endmeeting