#openstack-meeting-4 log

14:01:38 <SridarK> #startmeeting fwaas
14:01:39 <openstack> Meeting started Tue Aug  8 14:01:38 2017 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:40 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:42 <openstack> The meeting name has been set to 'fwaas'
14:01:43 <SarathMekala> hi all o/
14:01:54 <SridarK> #chair yushiro xgerman_
14:01:55 <openstack> Current chairs: SridarK xgerman_ yushiro
14:02:16 <SridarK> xgerman_: to run the mtg today ? Sorry i forget
14:02:36 <reedip_> Its hot here
14:02:43 <SridarK> ok i can do it
14:02:56 <SridarK> #topic Pike
14:03:16 <yushiro> thanks, SridarK
14:03:47 <SridarK> yushiro: chandanc: pls go ahead
14:04:04 <yushiro> #link https://review.openstack.org/#/c/323971/
14:04:12 <SridarK> chandanc: & I discussed over the weekend on some the pending issues with L2 support
14:04:34 <xgerman_> o/
14:04:42 <yushiro> SridarK, chandanc yes, thanks for your discussion.
14:04:45 <xgerman_> sorry being late
14:04:51 <yushiro> xgerman_, NP :)
14:04:53 <chandanc> we have captured the discussion in mail
14:04:57 <SridarK> adding an option to ensure that the plugin will flag L2 ports is defn an option
14:05:12 <SridarK> xgerman_: sorry i think today is ur turn - i just got started
14:05:17 <SridarK> u can take over
14:05:54 <yushiro> OK, now, I just fixed some bugs in L2-agent patch and added UTs.
14:06:15 <chandanc> I have 2 more fixes to be done
14:06:18 <yushiro> sorry just late.. but will update once after this meeting
14:06:29 <chandanc> sorry yushiro carry on
14:06:48 <SridarK> thx yushiro
14:07:01 <xgerman_> +1
14:07:24 <yushiro> current patch included a validation between agent version('v1' or 'v2') and l2.
14:07:43 <yushiro> https://review.openstack.org/#/c/323971/43/neutron_fwaas/services/firewall/agents/firewall_agent_api.py@65
14:08:23 <yushiro> I think l2 support is only for 'v2'.  Therefore, I added the validation with agent version.
14:08:30 <reedip_> guys , I will be right back , need to go to the medical store ( 15 min )
14:08:46 <chandanc> from the driver part i have to fix one of the delete rule flows to be more specific and one pep8 issue
14:08:48 <yushiro> reedip_, OK, please take care!!
14:08:53 <SridarK> reedip_: no prob
14:09:14 <xgerman_> +1
14:09:43 <SridarK> yushiro: yes indeed no L2 support for v1
14:10:18 <SridarK> so for v1 we will not even be running the L2 agent piece correct ?
14:10:23 <SridarK> i will look at PS too
14:11:05 <yushiro> SridarK, yes correct.  If agent version is 'v1' and l2 feature is enabled, then failed to start q-agt.
14:11:20 <yushiro> SridarK, this is current behavior in patch 43.
14:12:21 <yushiro> In other words, this validation is for checking configuration in agent-side.
14:12:48 <SridarK> yushiro: ok
14:13:20 <yushiro> Next, default firewall_group, it is OK for testing now..
14:13:41 <xgerman_> nice
14:14:05 <yushiro> #link https://review.openstack.org/#/c/475183/ Add configurable option for default_firewall_group
14:14:38 <yushiro> I'm also updating this patch in local environment. ( Although it is WIP in gerrit )
14:15:35 <yushiro> BTW, SridarK, can I update l2-agent patch today?
14:16:00 <yushiro> Maybe you're trying to add some validation for server-side, aren't you?
14:16:30 <SridarK> yushiro: yes - the only piece is the check on ml2_conf.ini
14:16:44 <yushiro> SridarK, OK, thanks.
14:16:49 <SridarK> yushiro: i will send something to u
14:17:05 <yushiro> SridarK, Thank you so much!
14:17:10 <SridarK> best not to create another patch
14:17:45 <yushiro> Indeed.
14:17:49 <SridarK> yushiro: i am just thinking around the validation for v1
14:18:21 <yushiro> chandanc, https://review.openstack.org/#/c/447251/22  Do you know a reason for jenkins -1?
14:19:03 <chandanc> No i havent lookt yet
14:19:19 <chandanc> 2 tests are failing though
14:19:24 <SridarK> my thought on the validation for L2 support was to fail CRUD operations if an L2 port is provided and L2 support is not enabled
14:19:50 <SridarK> can we have the same approach for v1
14:20:28 <yushiro> SridarK, yes, we can validate on server-side I think.
14:20:49 <SridarK> yushiro: i think the scenario u are mentioning is if someone had a v2 server and started a v1 agent ?
14:21:17 <SridarK> i think we have validation for that already
14:21:30 <SridarK> yushiro: this in reference to ur latest change
14:21:42 <SridarK> maybe let me go thru the PS and then discuss
14:22:48 <yushiro> SridarK, ah, no.  My patch only validates between agent-side configuration parameters.  To tell the truth, I'd like to validate as you said..
14:24:06 <yushiro> Now, agent-side in fwaas has some parameters named 'agent_version', 'enabled', 'conntrack_driver', 'driver'...
14:24:14 <SridarK> yushiro: ok i am trying to think thru this too
14:25:11 <yushiro> In the future, we should validate a version between server-side and agent-side but it is difficult now because we don't have O.VO ( Oslo version object).
14:26:15 <SridarK> yushiro: yes u are correct
14:26:35 <reedip_brb> back
14:26:58 <yushiro> So, in this cycle, it's OK to have your validation(in server-side) and my patch's one(in agent-side).
14:28:16 <SridarK> yushiro: i think so - the validation i am talking abt is to ensure that no L2 ports will be handled at the plugin in case L2 support is not enabled
14:28:48 <SridarK> (either thru an explicit flag or checking for the presence of the FWaaS L2 driver in the .ini file)
14:29:34 <xgerman_> let’s back off we envisioned to ease migartion to let people run V1 and V2 side-by-side
14:31:33 <yushiro> OK.
14:31:35 <SridarK> xgerman_: yes I am not sure what issues will surface there
14:31:47 <SridarK> xgerman_: but good point to think thru that
14:31:54 <reedip_> Wont V1 be similar to V2 having the L2 agent support turned OFF ?
14:32:18 <SridarK> reedip_: yes that was my thinking as well
14:32:33 <xgerman_> +1
14:32:56 <reedip_> sounds about right then
14:33:20 <xgerman_> well, we need to test all those combinations…
14:33:38 <reedip_> Note: We should keep this information as a documentation , so that when we start writing our migration document, we dont have to do a LOT of work
14:33:48 <SridarK> if u had a v1 plugin - i think we validate to ensure that ports are L3 already
14:34:03 <SridarK> reedip_: +1
14:34:15 <reedip_> Just an etherpad for now would work , I guess
14:34:40 <xgerman_> +1
14:35:18 <xgerman_> Most projects have docs in the code tree — we can always start a patch
14:36:00 <reedip_> xgerman_ : for the documentation, yes , I think a patch can be started
14:36:17 <yushiro> xgerman_, +1  we also need documentation for setting up and something...
14:36:55 <xgerman_> indeed…
14:37:48 <SridarK> yushiro: ok so i think we need to ensure that we have validation for L2 support and some UT fixes with the L2 agent PS
14:38:01 <amotoki> re: docs, it is nice to have in-tree documentation. If you feel the networking guide fits more, feel free to propose it to the neturon repo.
14:38:23 <yushiro> amotoki, thanks for your information..
14:38:26 <amotoki> I think we need more clear guideline on documentation in the neutron stadium projects in Queens
14:38:37 <SridarK> amotoki: +1
14:38:37 <xgerman_> +1
14:38:54 <yushiro> amotoki, in document deadline is same as neutron's one?
14:39:07 <reedip_> amotoki : how is the FWaaS documentation generated ? Can you advice?
14:39:12 <reedip_> SridarK : ^^
14:39:16 <SridarK> we have some level of docs on the setup and install but it can always be improved
14:39:24 <xgerman_> I think right now we are just in the networking guide
14:39:26 <amotoki> documentation with url /latest/ is always published from the master branch
14:39:44 <yushiro> aha, good, thanks.
14:40:02 <amotoki> perhaps we will have a branch version of documentation with /<foo>/pike or something, but at the moment I am not sure on this
14:40:19 <SridarK> reedip_: yes it is primarly networking guide
14:40:39 <yushiro> wow, it is reasonable for me but we should accerelate to publish our document .
14:40:59 <reedip_> Ok, because I got a comment from amotoki that FWaaS doesnt handle ICMP , as per the networking guide... so I wondered where to fix it :)
14:41:03 <amotoki> for docs, if it fits to stable branches, you can backport it
14:41:25 <amotoki> reedip_: I cannot remmeber the context ..
14:41:28 <yushiro> good idea
14:41:52 <SridarK> #action Team to check on doc updates
14:42:01 <reedip_> amotoki : https://review.openstack.org/#/c/440331/
14:42:02 <amotoki> for docs question feel free to ping me. if you have a specific document, i can advise more
14:42:11 <SridarK> amotoki: thx
14:42:28 <SridarK> yushiro: anything more on L2 agent ?
14:42:56 <yushiro> SridarK, It's all for me.  I'll do my best during Pike!!
14:43:33 <SridarK> yushiro: yes no worries - we will need to do more testing as well - which we all can do
14:43:34 <amotoki> reedip_: regarding https://review.openstack.org/#/c/440331/, you changed the behavior on ICMP but you do not mention it in the relesae note
14:43:41 <SridarK> chandanc: u had somethings to cover as well
14:44:00 <amotoki> so I put -1 on your patch, but it seems not addressed in patch set 16 :(
14:44:14 <amotoki> it is not related to the networking guide
14:44:14 <reedip_> amotoki: oh ok , you also added something about the documentation, so I was wondering to ask it. anyways, I can discuss it with you later...
14:44:27 <chandanc> not much from my side
14:44:44 <chandanc> i have fixed most of the comments raised on the driver patch
14:44:45 <amotoki> reedip_: ???
14:44:46 <reedip_> amotoki : both ICMPv4 an v6 will be checked
14:45:50 <SridarK> chandanc: on one of the issues u raised regarding conntrack across iptables and ovs
14:46:19 <SridarK> if we had SG on iptables and L2 FWaaS on ovs
14:46:51 <chandanc> SridarK: yes i mentioned that the contrack entries are managed in the kernel and are shared between the iptables and OVS driver
14:48:28 <chandanc> just wanted to bring this point to the discussion
14:48:38 <chandanc> the ovs based driver explicitly creates these entries
14:50:04 <SridarK> we should have some clarity on potential impacts here if any
14:50:58 <chandanc> SridarK: yes we should test the contrack part specifically
14:51:07 <SridarK> do others have some thoughts here too
14:51:28 <xgerman_> agree, we need to test
14:51:47 <yushiro> +1
14:52:32 <xgerman_> on the other hand we can always say you need to switch off SG for our current release
14:52:41 <xgerman_> and fix this in Queens
14:52:49 <chandanc> xgerman_: +1
14:53:04 <SridarK> xgerman_: yes that is where i was heading too -
14:53:22 <SridarK> this is probab needed until we test coexistence
14:53:50 <SridarK> I am not sure if we need to add another check here
14:54:12 <chandanc> SridarK: good idea
14:55:30 <SridarK> ok oops we are close to time
14:55:35 <SridarK> #topic Horizon
14:55:39 <TuanVu_> Hi guys, could you please check?
14:55:40 <TuanVu_> https://review.openstack.org/#/c/443385/
14:55:40 <TuanVu_> I really appreciate it if anyone can have a quick look.
14:55:40 <TuanVu_> Thank you in advance.
14:55:41 <SridarK> SarathMekala: amotoki:
14:56:01 <SarathMekala> #link https://review.openstack.org/#/c/475840/
14:56:14 <yushiro> TuanVu_, will take a look!
14:56:17 <SridarK> TuanVu_: yes i was wondering on one of the comments raised by Cedric on efficiency
14:56:19 <SarathMekala> I have uploaded a patch that adds the missing functionality of add/remove ports to FWG
14:56:24 <SridarK> needed to validate that
14:56:38 <SarathMekala> with this the UI is feature complete
14:56:57 <amotoki> hopefully test coverage is coming soon....
14:56:59 <SridarK> SarathMekala: ok great and as pointed by amotoki we have some time here on the dashboard
14:57:17 <SarathMekala> I am working on the test cases and will post in a couple of days
14:57:26 <SridarK> i think we have a good chance to make it with added UT
14:57:27 <SarathMekala> amotoki, yes am working on it :)
14:57:28 <amotoki> but I will be off most of the remaining days...
14:57:53 <SarathMekala> amotoki, can you review the code
14:58:06 <SarathMekala> I will send another review request for the test cases
14:58:08 <reedip_> yushiro ; do we have a check for https://review.openstack.org/#/c/443385/27 at CLI ?
14:58:11 <amotoki> I can do static reviews from POV of horizon view
14:58:17 <reedip_> TuanVu_ :^^
14:58:24 <SridarK> SarathMekala: can u send out a link on "How to test" for Horizon
14:58:47 <SridarK> maybe an etherpad ?
14:58:51 <SarathMekala> SridarK, sure.. I will prepared a document and share it across
14:58:59 <SridarK> yes email perhaps
14:59:06 <SarathMekala> sure.. will put it on ether pad
14:59:07 <amotoki> oh..... my devstack changes has been lost by SarathMekala new patch set :(
14:59:11 <SridarK> something simple is good enough
14:59:13 <yushiro> reedip_, OK, will test it after finishing the meeting.
14:59:23 <SridarK> ok we are at time
14:59:29 <amotoki> SarathMekala: could you recover it?
14:59:37 <SridarK> lets continue if anything in fwaas IRC
14:59:40 <SarathMekala> amotoki, I will check and do the needful
14:59:47 <SridarK> thanks all for joining
14:59:53 <SridarK> #endmeeting