14:01:13 #startmeeting fwaas 14:01:14 Meeting started Tue Apr 25 14:01:13 2017 UTC and is due to finish in 60 minutes. The chair is xgerman. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:15 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:01:18 The meeting name has been set to 'fwaas' 14:01:31 #chair SridarK yushiro 14:01:31 Warning: Nick not in channel: SridarK 14:01:33 Warning: Nick not in channel: yushiro 14:01:33 hello 14:01:34 Current chairs: SridarK xgerman yushiro 14:01:42 #chair SridarK_ 14:01:43 Current chairs: SridarK SridarK_ xgerman yushiro 14:01:58 ok, whose turn is it this week 14:02:00 ? 14:02:12 xgerman: i believe it is u :-) 14:02:21 ok 14:02:28 #topic announcements 14:02:51 PTL elections finished… they have the results somewhere 14:03:20 OpenStack summit is in two weeks or so!! 14:04:01 OSIC closed (https://t.co/dhFAyhOVy5) 14:04:16 xgerman: :-( 14:05:00 yeah, things always get chaotic when I am on PTO :-( 14:05:14 #topic Pike 14:06:05 Pike-2 is 6/12 ~6 weeks 14:06:32 How are things shaping up? 14:06:37 L2 support/OVS? 14:07:02 I had posted the documents on the ovs changes 14:07:23 i hope people could go through them 14:07:44 Was able to setup the testbed and do the required code changes 14:07:59 Hi 14:08:00 traffic testing is pending though 14:08:02 chandanc: sorry i am really swamped on other things at work - but will definitely review it 14:08:18 SridarK_, no problem, was busy myself too 14:08:26 yeah, I will have a look as well 14:08:34 code changes are actually much simpler 14:08:44 chandanc: that is good 14:08:47 we really need to work on our review velocity — I see kevinb and others pitching in a lot though ;- 14:08:47 i will push up a patch by the week 14:08:48 ) 14:09:02 chnandanc this is grand 14:09:16 xgerman: yes +1 - i have become very slow but after next week shd be back to usual 14:09:17 ya, but testing will be a major task 14:09:37 chandanc: yes esp interop 14:09:40 with SG 14:09:45 +1 14:09:56 one more thing to mention, i have introduced a flag for coexistance 14:10:21 chandanc: meaning if u see the SG driver loaded ? 14:10:30 we will need some way to figure out if the FWAAS driver is in standalone or coexistance mode 14:10:33 Hi. Sorry for late. 14:10:39 n.p. 14:10:39 ya 14:10:56 I just arrived at my home. 14:10:57 currently i am setting it manually 14:10:59 chandanc worst case we use a configuration flag 14:11:12 +1 14:11:16 ya, was thinking of that 14:11:33 eventually we may need some basic infra to see what features are loaded 14:11:42 but now i think it is just 2 14:11:53 or rather it will be 2 14:12:15 i dont want that to be in the driver, but may be the agent can pass the config option, but i am ready to change driver too if need be 14:12:47 o/ 14:12:51 chandanc: yes that is defn a possibility 14:13:05 but it may be tricky in terms of ordering 14:13:11 hmm no 14:13:16 please, have alook at the spread sheet and provide feedback 14:13:24 may be we can glean that off neutron.conf 14:13:35 likely 14:13:46 currently i am forcing FW to be loaded before SG 14:13:54 using table numbers 14:14:05 k, we can make that our assumprion 14:15:03 i think the details will be clear if you have a look at the excel sheet 14:15:13 chandanc: ok +1 14:15:44 k 14:15:55 thanks SridarK_ xgerman 14:16:12 with yushiro we can chat about the default fwg 14:16:28 ya 14:16:39 I think it’s shaping up nicely 14:17:23 hi 14:18:03 xgerman, thanks. 14:18:14 I'm locally updating in L2-agent side. 14:18:32 regarding default fwg, I'm now writing UTs. 14:18:55 nice 14:18:57 yushiro: cool, we will have some impact on the plugin side too 14:20:21 SridarK_, yeah. Now, l2-agent side includes bug for deleting/updating. 14:20:25 When a VM with a FWG is deleted 14:20:26 I just came here to drop a quick message - https://review.openstack.org/#/c/455422/ : Adds protocols for FWaaS which can be further used in Common Classifier Model 14:20:26 - https://review.openstack.org/394619 : Adds the full stack framework, tests can be added into it later on. 14:20:26 - https://review.openstack.org/#/c/440331/7 : dependent om 455422(1) 14:20:51 reedip: cool u really should not be here !! ;-) 14:21:18 I know , she switched my PC off , I asked for 10 min though 14:21:28 reedip: ;-) 14:21:34 reedip did you see kevinb’s comment on https://review.openstack.org/394619? 14:21:59 He says we should run some experimental gate frist 14:22:02 first 14:22:06 leaving , ciao 14:22:08 reedip, wow, you're holiday now? Thanks for your notification. 14:22:18 thanks 14:22:44 but two out of three are stuck — so not sure if we should drive while reedip is away or wait… 14:23:08 * xgerman sends memory by pidgeon 14:23:19 :-) 14:23:39 xgerman: i think we can hold off - we probab have our focus with L2 14:23:40 OK, so, in l2-agent, I'd like to reach out Paddu about that. This patch should be shaped more. 14:23:58 SridarK_ +1 - that’s what I am thinking as well 14:24:04 yushiro: yes i think we may have a small issue on that front 14:24:17 xgerman : I will ping you later for that :) 14:24:28 k 14:24:59 SridarK_, yeah. in my local patch, if vm port is created, default fwg can be associated and change into 'ACTIVE'. 14:25:49 nice 14:25:59 In this timing, in plugin layer, a validation between fwg and ports will be executed. 14:26:22 Current implementation, it is validated between context.tenant_id and tenant_id for port. 14:26:27 yushiro: when the port gets deleted - we may be ok in terms of cascade delete on the port resource so will remove the row in the FWG association table 14:26:39 yushiro: +1 14:27:26 However, context will be changed into admin priviledge, so it should be validated tenant_id between fwg and port. 14:28:19 SridarK_ has commented in plugin source code about that :) 14:28:36 OK, anyway, I'll update patch and please take a look. 14:28:49 sounds good 14:28:59 yushiro: ok we may have some corner case - but we can deal that next 14:29:41 folks, here is procedure for default fwg + l2-agent + ovs firewall driver:https://etherpad.openstack.org/p/fwaas-v2-l2-agent 14:29:56 yushiro: thanks 14:29:57 But xgerman sent us much more better procedure :) 14:30:16 well, I didn’t work it out — just something to think about… 14:30:43 xgerman: yes makes sense 14:31:00 xgerman, In fact, I'm afraid of applying patch in building devstack :) But it is safety than doing db migration. 14:32:10 I do it all the time — but devstack is fickle 14:32:56 Last items are Horizon support and CL 14:32:58 I 14:33:08 SridarK_, xgerman That's all for l2-agent / default fwg side. 14:33:17 thanks 14:33:40 on the Horizon side, I am able to get the Policies tab fully functional now 14:33:48 yeah!! 14:33:49 with this policies and rules tabs are ready 14:33:51 SarathMekala: great 14:33:59 I am working on the firewall tab 14:34:15 I got swamped with work last week and the progress was a lil slow 14:34:35 I will ensure that it gets ready by next week 14:34:48 I have a few questions in between 14:34:51 I think we still want to demo that in BOS? 14:35:07 hi, one question on fwaas-dashboard. it seems a right topic 14:35:07 xgerman: +1 14:35:29 yes xgerman, by next week I meant our next weekly sync up 14:35:52 yes amotoki 14:36:01 whats your question? 14:36:19 hi, is anyone creating a repo of neutron-fwaas-dashboard? 14:36:41 I have created one 14:36:45 sorry, suddenly logged out from IRC. 14:37:06 SarathMekala: sounds nice. thanks 14:37:15 we are following the plugin model as suggested by Rob cresswell 14:37:30 ok.. thanks 14:37:32 I am planning to move FWaaS v1 stuff to the plugin too. 14:37:48 of course if you don't mind 14:38:12 sure.. the namespaces are different, so should not be a problem 14:38:47 i can review the plugin implementation too 14:38:53 sure amotoki 14:39:05 will add you to the reviewer list once I check in 14:39:10 I have a few questions regarding V2 firewall tab 14:39:37 should the user have the functionality to add/remove ports on the firewall table? 14:39:42 amotoki we are planning on sunsetting FWaaS-V1 towards the end of the R-release 14:40:33 xgerman: sounds good to me too :) 14:40:38 yes 14:41:10 yushiro, this is as a part of the action button 14:41:30 SarathMekala: yes i think this would be right place to set the association 14:41:41 ok 14:41:52 ingress policy, egress policy, port associations 14:41:55 this way we will end up with 6 actions 14:42:01 yes.. add and remove for them 14:42:18 and update and delete the firewall group actions 14:42:39 SarathMekala, yes. But we should filter port candidate that not associated with any firewall_group. 14:42:56 SarathMekala, It's more kindly for a user. 14:43:15 yes 14:43:33 yushiro, if you have any pointers to the corresponding client methods it will save me some time 14:45:12 SarathMekala, OK. create/update/delete/insert rule/remove rule/ and 1? 14:45:48 yushiro, i need the pointers on port association and disassociation 14:46:05 and if any filtering logic is available already 14:46:19 SarathMekala, aha, OK. I understood. That's why you asked me last week :) 14:46:31 yes :) 14:46:45 it makes sanse. 6 actions. 14:46:51 I need to use the neutron client for all my api calls 14:47:28 neutron client? v2 is only openstackclient. neutron one is for v1. 14:47:42 SarathMekala: if i understand correctly, u will have a drop down or list of valid ports (ie those that do not have FWG associated) for that tenant 14:48:02 and the user can pick from that list of valid ports 14:48:11 to associate with this FWG 14:48:11 SridarK_, +1. Same project and not associated with any firewall_group. 14:48:22 as a candidate for association. 14:48:26 but if the user likes to change FWG? 14:48:29 perfect 14:48:37 xgerman: yes u read my mind 14:49:09 thanks SridarK_ 14:49:22 SarathMekala: yushiro: it is a correct thing to use neutronclient as bindings 14:49:25 on the update scenario - u will need to display the currently associated ports and other valid ports 14:49:46 so u can remove associate ports here 14:49:55 allow multiple ports to be added at once right? 14:49:59 then these ports can go to the valid pool 14:50:04 SarathMekala: yes 14:50:17 i am thinking u pick the ports 14:50:19 SridarK_, +1 for ex. left side is currently associated, right side is valid ports.. 14:50:37 SarathMekala: actually u can look at the FWaaSv1 dashboard for L3 port association 14:50:44 it should be very similar 14:51:08 well, if we think of SG we should also allow picking vms? 14:51:14 ok SridarK_ will check it out 14:51:25 amotoki, you mean that 'actions' for horizon should be aligned with neutronclient one? 14:51:49 I think they should be aligned with a great user experience ;-) 14:52:00 xgerman: i guess as a first step we will pick the neutron ports associated with the vms 14:52:02 Horizon/CLI target different types of users 14:52:05 xgerman, +1 :) 14:52:21 SridarK_ makes sense 14:52:24 SridarK_, I agree with you. 14:52:25 yushiro: horizon uses neutronclient bindings to talk with neutron. OSC fwaas plugin uses python bidngs 14:52:52 amotoki, aha, I see. thank you. 14:53:37 thanks amotoki 14:54:12 if you have something to be improved in horizon side itself for FWaaS v2, I can help you. 14:54:24 5 minute warning 14:54:32 amotoki: thx as always 14:54:37 thanks amotoki .. I will keep you in loop 14:55:07 sorry for intruppt. 14:55:26 Did you discussed FWaaS v2 presentation in b 14:55:30 boston ? 14:55:47 not yet 14:55:48 yushiro: not yet 14:55:54 #topic BOS 14:55:57 maybe we can meet offline 14:56:06 SridarK_, Yes. 14:56:10 chandanc, Is it OK for you? 14:56:27 sure 14:56:41 #topic Open Discussion 14:57:37 SridarK_, xgerman I'll udpate API reference docs for supporting v1. Thanks for your reply. 14:57:44 +1 14:57:49 ok 14:57:53 SridarK_, did you see my e-mail? 14:57:59 yes i did 14:58:01 we should mention that in BOS, too, to gather feedback 14:58:06 will respond 14:58:10 yes. 14:58:26 we can figure out a time to iron out the presentation 14:58:32 for the summit 14:58:38 +1 SridarK_ 14:58:51 yes. 14:59:09 sorry i have been very swamped so been difficult to keep up - after next week things shd be back to normal 14:59:27 #endmeeting