14:00:29 #startmeeting fwaas 14:00:35 Meeting started Tue Aug 1 14:00:29 2017 UTC and is due to finish in 60 minutes. The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:37 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:38 Hi everybody 14:00:39 The meeting name has been set to 'fwaas' 14:00:54 #chair xgerman_ yushiro 14:00:55 Current chairs: SridarK xgerman_ yushiro 14:01:12 Lets get started 14:01:18 o/ 14:01:47 #topic Pike 14:02:27 yushiro: chandanc: how are things looking with the L2 change 14:02:29 s 14:02:54 OK, let me sync up my progress 14:02:57 #link https://review.openstack.org/#/c/323971/ 14:03:37 Currently, my patch can work as I expected except illegal case. Now ready for review. 14:03:53 Sorry got disconnected 14:04:20 Regarding race condition when handle_port, it means VM port creation could avoid by using local vlan manager. 14:05:14 yushiro: ok, still some Jenkins issues 14:05:25 I'm changing Unittest now. 14:05:35 yushiro: ok 14:05:57 In plugin layer, we can call _core_plugin.get_port() and it can get port_db. 14:06:07 yushiro: yes 14:06:51 ok 14:06:54 However, in unittest, a return value of this method is missing 'binding:xxx' info. As a result, we cannot get 'binding:host_id' .. 14:07:52 https://review.openstack.org/#/c/323971/39/neutron_fwaas/services/firewall/fwaas_plugin_v2.py 14:07:54 In line 280 14:08:17 In devstack, we can get 'binding:xxx' info by using _core_plugin.get_port(). 14:08:42 So, I'll dig more in UT. 14:09:13 yushiro: yes sounds good 14:09:29 In addition, I sent e-mail to folks about deleting firewall group constraint. 14:09:41 would this be the only thing that need to be fixed 14:10:08 yes. 14:10:29 Currently, firewall group can not delete while status is 'ACTIVE'. 14:10:59 doesn't this make sense 14:11:23 yushiro: yes this will need to be fixed given that our deployment model has changed 14:11:24 what should happen if the vm is deleted ? 14:11:53 if the vm is deleted the SG still hangs around 14:12:06 so I would expect the same for FWG 14:12:40 but i think the firewall rules for the port need to be cleaned up 14:12:51 chandanc, If VM is deleted, Vm port also deleted. 14:12:52 yes — 14:13:00 i hope we dont have a race there 14:13:03 xgerman_: yes but we have slightly different approach mainly due to our L3 legacy 14:13:45 chandanc: yes it may be harmless as the port is gone but still we will have unnecessary rules hanging around 14:13:51 we will need the cleanup 14:14:17 chandanc, xgerman_ yes, when deleting VM instance, currently it raises in neutron-side. 14:14:22 ok, will check if the port id is enough for cleanup 14:14:23 hi 14:14:25 sorry 14:14:30 we will need to check this 14:14:31 I filed a bug report about it. https://bugs.launchpad.net/neutron/+bug/1707913 14:14:31 really sorry 14:14:32 Launchpad bug 1707913 in neutron "OVS driver - OVSFWPortNotFound when deleting VM port affects agent extension framework" [Undecided,New] 14:14:33 chandanc: yes 14:14:56 +1 14:15:07 ok lets discuss more on this offline 14:15:11 the only thing is the contrack zone 14:15:21 chandanc: how are things on ur end 14:15:31 chandanc, Yes, please check ovs-ofctl dump-flows br-int 14:15:40 I was with yushiro begining of the week 14:15:53 but couldnot do much for the delete case 14:16:04 we figuredout the create race 14:16:12 chandanc: ok 14:16:53 lets spend a few mins to make a call on L2 support for Pike 14:16:55 i will check how we can escape the delete race 14:17:03 chandanc: ok 14:17:09 ok SridarK 14:17:24 chandanc, I found something delete case. let's talk after this meeting if you have time :) 14:17:37 sure 14:17:42 looks like I gained an invisibility cloak before the meeting .... expecto patronum .... ! 14:17:53 :-) 14:18:14 reedip_, :) :) :) 14:18:21 :-) 14:18:28 reedip_, you're here :) 14:18:46 Yes, reached a while back 14:18:50 given where we stand do u think it is realistic to push for L2 support ? 14:19:25 at the risk of getting something in where we have not had a chance to do some rigorous testing 14:19:53 SridarK, yes, I'm concern about configurable patch for default fwg. 14:20:36 if we have it behind a feature flag I am ok with putting it in and saying that support is “experimental” 14:20:47 in one word , no ... in a more descriptive format, considering that its feature freeze, it might introduce some issues 14:21:15 feature freeze only applies to new features — we still can finish our old ones ;-) 14:21:30 however, we can introduce it as an experimental feature with some configuration option as NO ( if we set it to yes then we can test the experimental features ) 14:21:32 xgerman_: i too am worried about all the delete and default firewall group cases 14:21:44 xgerman_ : L2 and default fwg are new features :) 14:21:56 yes, but we had patches out for a while 14:22:11 chandanc, deleted by admin? 14:22:38 so technically they are not affected by feature freeze… 14:22:57 delete port from fwg should move to defaut fwg ? 14:23:05 we can take the approach of "disabled by default" 14:23:06 i am not sure of that use case 14:23:09 xgerman_ though this is a question of perspective, I agree with you that we can push it in P3 14:23:09 chandanc, yes 14:23:33 yushiro: lets speak after this meeting 14:23:38 but still we should feel confident as a team with some level of end to end testing 14:23:39 sure 14:23:46 SridarK : lets take the vote on disabled by default ... what do you say ? 14:24:21 Atleast it would guaruntee that we have time for testing and the feature can still be pushed into pike 14:24:22 reedip_: my thought is that we will need to take this approach without question 14:24:40 but even with that we should not have open issues 14:24:53 esp being a security featue 14:24:56 *feature 14:25:15 reedip_, SridarK sorry for confusing. I'll do my best until FFE for configurable patch of default fwg. 14:25:38 yushiro: no worries - it is good to have an open discussion 14:25:58 I am ok to push things with minor known bugs… but I am a bit more aggressive then most ;-) 14:26:33 xgerman_: :-) no i agree as long as we have minor issues with well know caveats that we can release note 14:26:34 :) 14:27:26 in any case we need to closely coordinate with Neutron since they are doing the release and have our FFEs filed, etc. 14:27:56 SridarK, xgerman_ 1 question. Should we send e-mail about FFE on ML? 14:28:00 and definitely realistically we all have been juggling multiple things so the bandwidth allocation has been a challenge for all 14:28:07 So if we disable l2 by default, will the cli disable creation of FWG with l2 ports ? 14:28:28 chandanc: good point 14:28:35 chandanc : CLI should check if L2 is available 14:28:47 even the UI has to take this into account 14:28:57 reedip_: yes thats what i ment 14:29:02 chandanc: we can always fail the validation in the plugin 14:29:05 can be possible if it is created as an extension :( 14:29:11 or just ignore l2 ports ? 14:29:18 yes, if it’s an extension we cna check 14:29:32 otherwise we throw errors and user exp sucks 14:30:01 chandanc : does it have to be a major change to make an extension out of the L2 FWG ? 14:30:15 Do we have a separate extension for l2 only ports 14:30:17 hmm as an ext - it is really the attributes 14:30:34 that can be tricky as it is still a port attribute 14:30:36 you can have everyhting as an ext 14:30:46 i think the extension is fwaas_v2 14:30:49 I mean, enable L2 FWG if the extension is loaded ? 14:30:51 If it is not loaded ,then the CLI/UI can handle the error 14:30:53 i may be wrong 14:31:10 extensions = fwaas_v2 should be set in ml2_conf.ini in order to run l2 support 14:31:19 chandanc : patch ID ( I forgot the link ) 14:31:21 no, in LBaaS I once wrote an extension to enable cascading delete (one flag was set to true) 14:31:50 yushiro that is the plugin 14:31:51 I was also wondering if a flag can be used for this 14:31:57 extension is the API we support 14:32:01 reedip_: dont have it handy, will mail 14:32:11 i think the simplest thing to do is to check if the L2 driver is loaded, then the plugin will allow L2 ports in the validation 14:32:14 lemme check the gitreview 14:32:49 else it will fail the validation and throw an exception or log message 14:32:54 SridarK: so the check is at plugin level right ? 14:32:56 chandanc : this one right : https://review.openstack.org/#/c/447251/ ? 14:33:00 chandanc: yes 14:33:01 extensions from LBaaS: https://github.com/openstack/neutron-lbaas/tree/master/neutron_lbaas/extensions 14:33:28 any API change is an extension 14:33:33 So here is my understanding 14:33:37 SridarK, +1 OK, I'll add a validation to check l2 driver condition. 14:34:04 the fwaas v2 has a single extension, but we want to disable l2 ports in fwaas v2 14:34:20 i think , this can be done at plugin level right ? 14:34:50 the extension needs to be loded to supported event the l3 ports 14:34:57 I think we are confuding two things: 14:35:02 chandanc, plugin side and agent side . 14:35:07 1) Does the API support L2 -> Extensions 14:35:10 plugin side 14:35:17 2) Is L2 working -> plugin 14:35:52 yushiro , chandanc : we are looking at this right ?? : https://review.openstack.org/#/c/323971/ 14:36:28 reedip_, right. Maybe we call it 'L2 driver' 14:36:33 Sorry still abit confused, if this is too confusing, we can discuss by mail 14:36:49 yushiro :yes, this isnt an extension per-se 14:37:21 reedip_, yes, xgerman_ explains 'extensions' for fwaas. 14:37:21 since the attribute in question is port, and our ext defines it already, we are only qualifying if it is L2 or L3 14:37:26 chandanc : currently what we have is more of a driver. We are not adding anything to the fwaas_v2 API attribute, are we ? 14:37:51 SridarK, correct. 14:37:56 reedip_: yes, this is my point 14:37:57 reedip_: yes nothing is being added to the API as it is still a port attribute 14:38:13 SridarK : Is there any parameter which seprates an L2 port from an L3 port? 14:38:18 or any attribute ?? 14:38:25 chandanc :: ^^ 14:38:30 well, they sometimes have dummy extensions since drivers can say which etxnesions they support 14:38:36 reedip_: it will be the device owner 14:38:53 xgerman_, you mean 'noop' driver ? 14:39:05 u will need to examine the port resource to determine to figure if it is L2 or L3 14:39:13 SridarK : so it means the value may be changed but the APU attribute would be the same 14:39:14 no, an extension which doesn’t define any attributes and drivers say they support that 14:39:29 OK 14:39:49 xgerman_: basically an ext that will define a flag for L2 support 14:39:57 yep 14:39:59 xgerman_: something like fwaas_v2_l2_support ? 14:40:10 chandanc : that will be too complicated 14:40:11 and then the driver says it supports/doesn’t support that extension 14:40:25 xgerman : thats a much easier option 14:40:40 yeah, but I think checking if the l2 is loaded is prob. better 14:41:08 since a driver might support L2 but L2 isnt laoded 14:41:16 xgerman_: that would be simpler from code 14:41:28 but current l2 is only agent-side definition. I'll consider to check server-side as well as agent-side. 14:41:50 we need server side 14:41:51 yushiro: yes that is the downside - we will need to check on the server side too 14:42:03 yushiro : if the Extension is loaded, then we can pull up the agent-side code, right ? 14:42:06 to enable the validation to be done 14:42:12 SridarK, +10 14:42:43 reedip_, maybe yes and we can validate it in server-side. 14:42:51 but overall we should make an L2 extnesion since there might be 3rd party drivers whoch don’t support L2 14:43:04 yushiro : yes ... 14:43:19 xgerman_ : right :) 14:43:26 xgerman_: yes i think that is good so validation is done early 14:43:48 and 3rd parties can reuse the reference plugin 14:43:53 yes. or we can create 'noop' driver for l2. 14:44:27 ok , so we are agreed upon creating the extension 14:44:32 ok lets weigh some of these options 14:45:34 but still lets see how confident we are with an end to end test to atleast have the basic use cases working 14:45:38 SridarK : Lets put it on the mail 14:46:24 assuming we feel confident about that - we can adopt using an ext or just checking for an L2 driver 14:47:00 or both 14:47:14 off the top the checking for the L2 driver is easier from a code point of view this late in the game, but long term the ext makes it more cleaner 14:47:52 OK. 14:47:54 having an ext serve as an enable will make reuse of the plugin more clean 14:48:01 will implement validation. 14:48:01 yes, but if we release without extension we can’t add it later since we are taking functionality away instead of adding 14:48:03 +1 14:48:47 I am not sure if Neutron will actually enforce that with us… 14:48:55 xgerman_: hmm perhaps we will have the functionality but we realise it differently 14:49:05 first with a quick hack then with an ext 14:49:11 k 14:49:19 xgerman_: but good point - let me think more too 14:49:42 but mainly lets see how confident we are with the L2 agent - driver integration 14:49:50 +1 14:49:52 ok lets take it offline 14:50:00 running out to time 14:50:07 #topic Horizon 14:50:23 I have some updates 14:50:27 SarathMekala: amotoki: pls go ahead 14:50:49 I am working on the add/remove port forms 14:51:14 and looking at the UI, I am opting for the following approach 14:51:36 SarathMekala: ok do u need to ask for an FFE - i think there is less concerns here 14:51:48 I added devstack support to SarathMekala patch 14:52:05 amotoki: great thx 14:52:06 I am not sure we can land the v2 patch in FFE time frame even though it is low-risk 14:52:41 as far as i checked, the current UT proposed is just a copy from v1 stuff and there seems a lot of work to pass UT 14:53:03 amotoki: ok i was hoping that this is definitely low risk as u mention 14:53:24 amotoki, yes.. I did not update the UT yet 14:53:54 if the team would like to request FFE for v2 dashboard, please go ahead 14:54:04 SarathMekala: do u feel comfortable to get this done - it should get an FFE with amotoki's support too 14:54:15 +1 14:54:17 it is better to follow the official neutron stadium process as it is a project under neutron 14:54:27 +1 14:54:36 sure SridarK, I will sync with amotoki and send across a mail to the team 14:54:56 i would like to see extensive tests from fwaas team 14:55:16 SarathMekala: ok perfect and u should be present in the drivers team mtg too 14:55:19 amotoki: +1 14:55:30 ok.. I need to put in a few more UI design considerations for review here 14:55:42 SarathMekala: we will start doing some manual testing 14:55:42 sure SridarK 14:55:48 SarathMekala, thanks for your great work :) 14:55:58 I will ping you offline 14:55:59 SarathMekala: go ahead pls - we only have 5 mins 14:56:11 sure 14:56:13 we can continue on fwaas channel if we hit time 14:56:26 sure.. I have a few things to discuss 14:56:41 In the FWG tab, the row actions will be the following 14:56:54 update FwG, Delete FWG, Add Port and Delete Port 14:57:24 I am thinking adding Add Ingress Policy, Delete Ingress Policy 14:57:33 as well as Egress Policy actions will be a bit too much 14:57:56 so Ingress/Egress policy addition/deletion can be done during FWG edit operation 14:58:06 SarathMekala, +1 14:58:08 SarathMekala: we could have policy and a selector for Ingress or Egress ? 14:59:07 SridarK, a selector is present.. but for updating I dont want to add it as a row btn action 14:59:21 SarathMekala: ok 14:59:28 so effectively, to update ingress/egress policies we need to update the FWG 14:59:34 we are almost at time 14:59:34 I think it is better to gather feedbacks for improvements from fwaas team after running the dashboard (using something like etherpad) 14:59:38 correct 14:59:41 but add/delete ports will be similar to insert rules 14:59:54 amotoki, +1 14:59:55 lets continue on fwaas channel 14:59:59 sure 15:00:03 points from SarathMekala coves a few I think 15:00:04 OK, let's move on :) 15:00:14 *covers* 15:00:20 thx all for joining - priorites is to get L2 support decisions and defn try to get in Horizon 15:00:29 #endmeeting fwaas