14:01:13 <xgerman> #startmeeting fwaas 14:01:14 <openstack> Meeting started Tue Apr 25 14:01:13 2017 UTC and is due to finish in 60 minutes. The chair is xgerman. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:01:18 <openstack> The meeting name has been set to 'fwaas' 14:01:31 <xgerman> #chair SridarK yushiro 14:01:31 <openstack> Warning: Nick not in channel: SridarK 14:01:33 <openstack> Warning: Nick not in channel: yushiro 14:01:33 <chandanc> hello 14:01:34 <openstack> Current chairs: SridarK xgerman yushiro 14:01:42 <xgerman> #chair SridarK_ 14:01:43 <openstack> Current chairs: SridarK SridarK_ xgerman yushiro 14:01:58 <xgerman> ok, whose turn is it this week 14:02:00 <xgerman> ? 14:02:12 <SridarK_> xgerman: i believe it is u :-) 14:02:21 <xgerman> ok 14:02:28 <xgerman> #topic announcements 14:02:51 <xgerman> PTL elections finished… they have the results somewhere 14:03:20 <xgerman> OpenStack summit is in two weeks or so!! 14:04:01 <xgerman> OSIC closed (https://t.co/dhFAyhOVy5) 14:04:16 <SridarK_> xgerman: :-( 14:05:00 <xgerman> yeah, things always get chaotic when I am on PTO :-( 14:05:14 <xgerman> #topic Pike 14:06:05 <xgerman> Pike-2 is 6/12 ~6 weeks 14:06:32 <xgerman> How are things shaping up? 14:06:37 <xgerman> L2 support/OVS? 14:07:02 <chandanc> I had posted the documents on the ovs changes 14:07:23 <chandanc> i hope people could go through them 14:07:44 <chandanc> Was able to setup the testbed and do the required code changes 14:07:59 <reedip> Hi 14:08:00 <chandanc> traffic testing is pending though 14:08:02 <SridarK_> chandanc: sorry i am really swamped on other things at work - but will definitely review it 14:08:18 <chandanc> SridarK_, no problem, was busy myself too 14:08:26 <xgerman> yeah, I will have a look as well 14:08:34 <chandanc> code changes are actually much simpler 14:08:44 <SridarK_> chandanc: that is good 14:08:47 <xgerman> we really need to work on our review velocity — I see kevinb and others pitching in a lot though ;- 14:08:47 <chandanc> i will push up a patch by the week 14:08:48 <xgerman> ) 14:09:02 <xgerman> chnandanc this is grand 14:09:16 <SridarK_> xgerman: yes +1 - i have become very slow but after next week shd be back to usual 14:09:17 <chandanc> ya, but testing will be a major task 14:09:37 <SridarK_> chandanc: yes esp interop 14:09:40 <SridarK_> with SG 14:09:45 <xgerman> +1 14:09:56 <chandanc> one more thing to mention, i have introduced a flag for coexistance 14:10:21 <SridarK_> chandanc: meaning if u see the SG driver loaded ? 14:10:30 <chandanc> we will need some way to figure out if the FWAAS driver is in standalone or coexistance mode 14:10:33 <yushiro> Hi. Sorry for late. 14:10:39 <xgerman> n.p. 14:10:39 <chandanc> ya 14:10:56 <yushiro> I just arrived at my home. 14:10:57 <chandanc> currently i am setting it manually 14:10:59 <xgerman> chandanc worst case we use a configuration flag 14:11:12 <SridarK_> +1 14:11:16 <chandanc> ya, was thinking of that 14:11:33 <SridarK_> eventually we may need some basic infra to see what features are loaded 14:11:42 <SridarK_> but now i think it is just 2 14:11:53 <SridarK_> or rather it will be 2 14:12:15 <chandanc> i dont want that to be in the driver, but may be the agent can pass the config option, but i am ready to change driver too if need be 14:12:47 <cuongnv> o/ 14:12:51 <SridarK_> chandanc: yes that is defn a possibility 14:13:05 <SridarK_> but it may be tricky in terms of ordering 14:13:11 <SridarK_> hmm no 14:13:16 <chandanc> please, have alook at the spread sheet and provide feedback 14:13:24 <SridarK_> may be we can glean that off neutron.conf 14:13:35 <xgerman> likely 14:13:46 <chandanc> currently i am forcing FW to be loaded before SG 14:13:54 <chandanc> using table numbers 14:14:05 <xgerman> k, we can make that our assumprion 14:15:03 <chandanc> i think the details will be clear if you have a look at the excel sheet 14:15:13 <SridarK_> chandanc: ok +1 14:15:44 <xgerman> k 14:15:55 <chandanc> thanks SridarK_ xgerman 14:16:12 <xgerman> with yushiro we can chat about the default fwg 14:16:28 <yushiro> ya 14:16:39 <xgerman> I think it’s shaping up nicely 14:17:23 <reedip> hi 14:18:03 <yushiro> xgerman, thanks. 14:18:14 <yushiro> I'm locally updating in L2-agent side. 14:18:32 <yushiro> regarding default fwg, I'm now writing UTs. 14:18:55 <xgerman> nice 14:18:57 <SridarK_> yushiro: cool, we will have some impact on the plugin side too 14:20:21 <yushiro> SridarK_, yeah. Now, l2-agent side includes bug for deleting/updating. 14:20:25 <SridarK_> When a VM with a FWG is deleted 14:20:26 <reedip> I just came here to drop a quick message - https://review.openstack.org/#/c/455422/ : Adds protocols for FWaaS which can be further used in Common Classifier Model 14:20:26 <reedip> - https://review.openstack.org/394619 : Adds the full stack framework, tests can be added into it later on. 14:20:26 <reedip> - https://review.openstack.org/#/c/440331/7 : dependent om 455422(1) 14:20:51 <SridarK_> reedip: cool u really should not be here !! ;-) 14:21:18 <reedip> I know , she switched my PC off , I asked for 10 min though 14:21:28 <SridarK_> reedip: ;-) 14:21:34 <xgerman> reedip did you see kevinb’s comment on https://review.openstack.org/394619? 14:21:59 <xgerman> He says we should run some experimental gate frist 14:22:02 <xgerman> first 14:22:06 <reedip> leaving , ciao 14:22:08 <yushiro> reedip, wow, you're holiday now? Thanks for your notification. 14:22:18 <xgerman> thanks 14:22:44 <xgerman> but two out of three are stuck — so not sure if we should drive while reedip is away or wait… 14:23:08 * xgerman sends memory by pidgeon 14:23:19 <SridarK_> :-) 14:23:39 <SridarK_> xgerman: i think we can hold off - we probab have our focus with L2 14:23:40 <yushiro> OK, so, in l2-agent, I'd like to reach out Paddu about that. This patch should be shaped more. 14:23:58 <xgerman> SridarK_ +1 - that’s what I am thinking as well 14:24:04 <SridarK_> yushiro: yes i think we may have a small issue on that front 14:24:17 <outofmemory> xgerman : I will ping you later for that :) 14:24:28 <xgerman> k 14:24:59 <yushiro> SridarK_, yeah. in my local patch, if vm port is created, default fwg can be associated and change into 'ACTIVE'. 14:25:49 <xgerman> nice 14:25:59 <yushiro> In this timing, in plugin layer, a validation between fwg and ports will be executed. 14:26:22 <yushiro> Current implementation, it is validated between context.tenant_id and tenant_id for port. 14:26:27 <SridarK_> yushiro: when the port gets deleted - we may be ok in terms of cascade delete on the port resource so will remove the row in the FWG association table 14:26:39 <SridarK_> yushiro: +1 14:27:26 <yushiro> However, context will be changed into admin priviledge, so it should be validated tenant_id between fwg and port. 14:28:19 <yushiro> SridarK_ has commented in plugin source code about that :) 14:28:36 <yushiro> OK, anyway, I'll update patch and please take a look. 14:28:49 <xgerman> sounds good 14:28:59 <SridarK_> yushiro: ok we may have some corner case - but we can deal that next 14:29:41 <yushiro> folks, here is procedure for default fwg + l2-agent + ovs firewall driver:https://etherpad.openstack.org/p/fwaas-v2-l2-agent 14:29:56 <SridarK_> yushiro: thanks 14:29:57 <yushiro> But xgerman sent us much more better procedure :) 14:30:16 <xgerman> well, I didn’t work it out — just something to think about… 14:30:43 <SridarK_> xgerman: yes makes sense 14:31:00 <yushiro> xgerman, In fact, I'm afraid of applying patch in building devstack :) But it is safety than doing db migration. 14:32:10 <xgerman> I do it all the time — but devstack is fickle 14:32:56 <xgerman> Last items are Horizon support and CL 14:32:58 <xgerman> I 14:33:08 <yushiro> SridarK_, xgerman That's all for l2-agent / default fwg side. 14:33:17 <xgerman> thanks 14:33:40 <SarathMekala> on the Horizon side, I am able to get the Policies tab fully functional now 14:33:48 <xgerman> yeah!! 14:33:49 <SarathMekala> with this policies and rules tabs are ready 14:33:51 <SridarK_> SarathMekala: great 14:33:59 <SarathMekala> I am working on the firewall tab 14:34:15 <SarathMekala> I got swamped with work last week and the progress was a lil slow 14:34:35 <SarathMekala> I will ensure that it gets ready by next week 14:34:48 <SarathMekala> I have a few questions in between 14:34:51 <xgerman> I think we still want to demo that in BOS? 14:35:07 <amotoki> hi, one question on fwaas-dashboard. it seems a right topic 14:35:07 <SridarK_> xgerman: +1 14:35:29 <SarathMekala> yes xgerman, by next week I meant our next weekly sync up 14:35:52 <SarathMekala> yes amotoki 14:36:01 <SarathMekala> whats your question? 14:36:19 <amotoki> hi, is anyone creating a repo of neutron-fwaas-dashboard? 14:36:41 <SarathMekala> I have created one 14:36:45 <yushiro> sorry, suddenly logged out from IRC. 14:37:06 <amotoki> SarathMekala: sounds nice. thanks 14:37:15 <SarathMekala> we are following the plugin model as suggested by Rob cresswell 14:37:30 <SarathMekala> ok.. thanks 14:37:32 <amotoki> I am planning to move FWaaS v1 stuff to the plugin too. 14:37:48 <amotoki> of course if you don't mind 14:38:12 <SarathMekala> sure.. the namespaces are different, so should not be a problem 14:38:47 <amotoki> i can review the plugin implementation too 14:38:53 <SarathMekala> sure amotoki 14:39:05 <SarathMekala> will add you to the reviewer list once I check in 14:39:10 <SarathMekala> I have a few questions regarding V2 firewall tab 14:39:37 <SarathMekala> should the user have the functionality to add/remove ports on the firewall table? 14:39:42 <xgerman> amotoki we are planning on sunsetting FWaaS-V1 towards the end of the R-release 14:40:33 <amotoki> xgerman: sounds good to me too :) 14:40:38 <yushiro> yes 14:41:10 <SarathMekala> yushiro, this is as a part of the action button 14:41:30 <SridarK_> SarathMekala: yes i think this would be right place to set the association 14:41:41 <SarathMekala> ok 14:41:52 <SridarK_> ingress policy, egress policy, port associations 14:41:55 <SarathMekala> this way we will end up with 6 actions 14:42:01 <SarathMekala> yes.. add and remove for them 14:42:18 <SarathMekala> and update and delete the firewall group actions 14:42:39 <yushiro> SarathMekala, yes. But we should filter port candidate that not associated with any firewall_group. 14:42:56 <yushiro> SarathMekala, It's more kindly for a user. 14:43:15 <SarathMekala> yes 14:43:33 <SarathMekala> yushiro, if you have any pointers to the corresponding client methods it will save me some time 14:45:12 <yushiro> SarathMekala, OK. create/update/delete/insert rule/remove rule/ and 1? 14:45:48 <SarathMekala> yushiro, i need the pointers on port association and disassociation 14:46:05 <SarathMekala> and if any filtering logic is available already 14:46:19 <yushiro> SarathMekala, aha, OK. I understood. That's why you asked me last week :) 14:46:31 <SarathMekala> yes :) 14:46:45 <yushiro> it makes sanse. 6 actions. 14:46:51 <SarathMekala> I need to use the neutron client for all my api calls 14:47:28 <yushiro> neutron client? v2 is only openstackclient. neutron one is for v1. 14:47:42 <SridarK_> SarathMekala: if i understand correctly, u will have a drop down or list of valid ports (ie those that do not have FWG associated) for that tenant 14:48:02 <SridarK_> and the user can pick from that list of valid ports 14:48:11 <SridarK_> to associate with this FWG 14:48:11 <yushiro> SridarK_, +1. Same project and not associated with any firewall_group. 14:48:22 <yushiro> as a candidate for association. 14:48:26 <xgerman> but if the user likes to change FWG? 14:48:29 <SridarK_> perfect 14:48:37 <SridarK_> xgerman: yes u read my mind 14:49:09 <SarathMekala> thanks SridarK_ 14:49:22 <amotoki> SarathMekala: yushiro: it is a correct thing to use neutronclient as bindings 14:49:25 <SridarK_> on the update scenario - u will need to display the currently associated ports and other valid ports 14:49:46 <SridarK_> so u can remove associate ports here 14:49:55 <SarathMekala> allow multiple ports to be added at once right? 14:49:59 <SridarK_> then these ports can go to the valid pool 14:50:04 <SridarK_> SarathMekala: yes 14:50:17 <SridarK_> i am thinking u pick the ports 14:50:19 <yushiro> SridarK_, +1 for ex. left side is currently associated, right side is valid ports.. 14:50:37 <SridarK_> SarathMekala: actually u can look at the FWaaSv1 dashboard for L3 port association 14:50:44 <SridarK_> it should be very similar 14:51:08 <xgerman> well, if we think of SG we should also allow picking vms? 14:51:14 <SarathMekala> ok SridarK_ will check it out 14:51:25 <yushiro> amotoki, you mean that 'actions' for horizon should be aligned with neutronclient one? 14:51:49 <xgerman> I think they should be aligned with a great user experience ;-) 14:52:00 <SridarK_> xgerman: i guess as a first step we will pick the neutron ports associated with the vms 14:52:02 <xgerman> Horizon/CLI target different types of users 14:52:05 <yushiro> xgerman, +1 :) 14:52:21 <xgerman> SridarK_ makes sense 14:52:24 <yushiro> SridarK_, I agree with you. 14:52:25 <amotoki> yushiro: horizon uses neutronclient bindings to talk with neutron. OSC fwaas plugin uses python bidngs 14:52:52 <yushiro> amotoki, aha, I see. thank you. 14:53:37 <SarathMekala> thanks amotoki 14:54:12 <amotoki> if you have something to be improved in horizon side itself for FWaaS v2, I can help you. 14:54:24 <xgerman> 5 minute warning 14:54:32 <SridarK_> amotoki: thx as always 14:54:37 <SarathMekala> thanks amotoki .. I will keep you in loop 14:55:07 <yushiro> sorry for intruppt. 14:55:26 <yushiro> Did you discussed FWaaS v2 presentation in b 14:55:30 <yushiro> boston ? 14:55:47 <xgerman> not yet 14:55:48 <SridarK_> yushiro: not yet 14:55:54 <xgerman> #topic BOS 14:55:57 <SridarK_> maybe we can meet offline 14:56:06 <yushiro> SridarK_, Yes. 14:56:10 <yushiro> chandanc, Is it OK for you? 14:56:27 <chandanc> sure 14:56:41 <xgerman> #topic Open Discussion 14:57:37 <yushiro> SridarK_, xgerman I'll udpate API reference docs for supporting v1. Thanks for your reply. 14:57:44 <xgerman> +1 14:57:49 <SridarK_> ok 14:57:53 <yushiro> SridarK_, did you see my e-mail? 14:57:59 <SridarK_> yes i did 14:58:01 <xgerman> we should mention that in BOS, too, to gather feedback 14:58:06 <SridarK_> will respond 14:58:10 <yushiro> yes. 14:58:26 <SridarK_> we can figure out a time to iron out the presentation 14:58:32 <SridarK_> for the summit 14:58:38 <chandanc> +1 SridarK_ 14:58:51 <yushiro> yes. 14:59:09 <SridarK_> sorry i have been very swamped so been difficult to keep up - after next week things shd be back to normal 14:59:27 <xgerman> #endmeeting