#openstack-fwaas log

13:59:55 <SridarK> #startmeeting fwaas
13:59:56 <openstack> Meeting started Thu Oct 19 13:59:55 2017 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:59:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:59:59 <openstack> The meeting name has been set to 'fwaas'
14:00:06 <SridarK> #chair xgerman_ yushiro
14:00:07 <openstack> Current chairs: SridarK xgerman_ yushiro
14:00:46 <SridarK> Firstly apologies i had to miss last week meeting and also the last week has been busy on other things at work
14:00:55 <SridarK> lets get started
14:01:06 <openstackgerrit> Murali Annamneni proposed openstack/neutron-fwaas master: Enable MySQL Cluster Support for neutron-fwaas  https://review.openstack.org/513392
14:01:16 <openstackgerrit> Yushiro FURUKAWA proposed openstack/neutron-fwaas master: FWaaS v2 extension for L2 agent  https://review.openstack.org/323971
14:01:17 <SridarK> Great that the Dashboard patch is in
14:01:30 <xgerman_> +1
14:01:40 <SridarK> #topic Queens L2 support
14:01:44 <yushiro> +1 thanks Sarath akihiro
14:01:59 <SridarK> and thanks yushiro as well
14:02:10 <yushiro> SridarK, Aha :)
14:02:13 <doude> Hi
14:02:27 <SridarK> yushiro: pls go ahead i think we are almost there
14:02:42 <yushiro> OK, let me explain something
14:02:54 <SridarK> #link https://review.openstack.org/#/c/323971/
14:03:53 <yushiro> Yesterday, I and annp has discussed about handling fixed_ip address.
14:04:20 <yushiro> We decided to handle in driver-side same as neutron ovs-agent.
14:05:16 <yushiro> So, we've included 'fixed_ips' into port_detail parameter and send port_detail to driver-side.  Here is our latest version.
14:05:46 <yushiro> I've tested in my environment and works fine.
14:06:07 <yushiro> So, If zuul got +1 for l2-agent patch,  I think it's OK to be merged..
14:06:34 <annp> +1 yushiro :)
14:06:54 <xgerman_> nice —
14:07:30 <SridarK> yushiro: i see some details for test setup on etherpad https://etherpad.openstack.org/p/fwaas-v2-l2
14:07:44 <SridarK> I will do some testing by tomorrow as well
14:08:16 <yushiro> SridarK, Yes.  However, let me check 1 thing about releasing.
14:08:44 <yushiro> When is a final deadline for Q-1?  tomorrow?
14:09:11 <SridarK> yushiro: hmm i am not sure that it is that critical
14:09:33 <SridarK> we will need to merge the driver as well for things to be functional
14:09:46 <yushiro> SridarK, Yes, exactly.
14:09:55 <hoangcx_> yushiro: SridarK Here https://review.openstack.org/#/c/512432/
14:10:13 <yushiro> hoangcx_, thanks
14:10:49 <SridarK> hoangcx_: thx
14:11:10 <xgerman_> We would need to bump the SHA here: https://review.openstack.org/#/c/512432/2/deliverables/queens/neutron-fwaas.yaml
14:11:33 <xgerman_> Q-3 is still not released
14:11:36 * mlavalle slides silently in
14:11:38 <xgerman_> Q-1
14:11:42 <SridarK> i think it is good we got the dashboard in - my feeling is that on the L2 support it is key that we do more testing
14:12:14 <yushiro> xgerman_, thanks.  SridarK OK I see.
14:13:11 <yushiro> Ah, I have 1 concern about l2 patch.  Currently, if we try to associate a port into dirrefent firewall_group at same time, a relation will be broken.
14:13:20 <SridarK> i think for things to make sense: the FWaaS L2 Agent, L2 Driver and Def FWG needs to be in
14:14:15 <SridarK> yushiro: but i am thinking validation on the plugin shd fail that
14:15:14 <yushiro> SridarK, I think this is race condition.  2 requests try to check DB status at same time.
14:15:22 <SridarK> yushiro: aha ok
14:15:44 <annp> Sridark, yushiro: we've already pushed patch for fixing that
14:15:46 <yushiro> We don't guard in DB layer in FirewallGroupPortAssociation table.  I think we need to have unique constraint for 'port_id' in this table.
14:15:59 <yushiro> annp, yees.. could you paste your patch?
14:16:06 <annp> https://review.openstack.org/#/c/512154/
14:16:08 <SridarK> ok and annp that is ur patch
14:16:36 <annp> As reedip said: we no need migration file
14:16:51 <annp> So i removed this file.
14:17:44 <SridarK> annp Hmm it is the same db table for L3 ports as well
14:17:47 <yushiro> annp, sorry.  What are you going to fix ??
14:18:09 <SridarK> so i am a bit confused - let me look more and think more after i am fully awake and comment on Gerrit
14:18:22 <mlavalle> lol
14:18:28 <SridarK> :-)
14:18:33 <yushiro> annp, I think your approach is better because we've already released fwaas v2 for L3.
14:18:48 <yushiro> mlavalle, Hi :)
14:18:51 <SridarK> yushiro: yes that was my thought too
14:19:12 <SridarK> lets comment on gerrit
14:19:13 <annp> SridarK: ok!
14:19:16 * mlavalle waves back to the entire team :-)
14:19:57 <SridarK> shall we move on to the driver ?
14:20:10 <yushiro> SridarK, yes, please.
14:20:14 <SridarK> #link https://review.openstack.org/#/c/447251/
14:20:15 <annp> Please go ahead
14:20:18 <SridarK> annp:
14:20:23 <annp> :)
14:20:25 <SridarK> pls go ahead
14:20:33 <SridarK> annp ^^
14:20:43 <SridarK> and annp thanks for the help on this
14:20:46 <annp> for ovs driver it's ready for reviewing and testing
14:20:58 <openstackgerrit> Yushiro FURUKAWA proposed openstack/neutron-fwaas master: OVS based l2 Firewall driver for FWaaS v2  https://review.openstack.org/447251
14:20:58 <annp> fwg can works co-existing sg now
14:21:25 <yushiro> annp, yes.
14:21:25 <annp> yushiro, did you test this driver?
14:21:35 <SridarK> annp pls upd the testing etherpad with any details so all can test
14:21:39 <SridarK> https://etherpad.openstack.org/p/fwaas-v2-l2
14:22:05 <SridarK> annp: oh very nice that u have verified co-existence with SG
14:22:27 <yushiro> annp, Now I'm testing but failed to create VM instance (No sql_connection parameter is established)
14:22:47 <SridarK> This area will need careful testing (on co-existence)
14:23:06 <yushiro> annp and I discussed yesterday and annp replied to Inessa yesterday, right?
14:23:07 <annp> SridarK: Sorry, I don't have test case here. So Tomorrow, I will try to test and update etherpad
14:23:31 <annp> yushiro, yes. You can see that on gerrit.
14:23:41 <SridarK> annp: no worries - just share any details so others can also use that info for testing
14:24:16 <annp> SridarK, thanks. I hope you have chance to verify ovs driver :)
14:24:32 <SridarK> annp: yes i will test it as well
14:24:48 <yushiro> SridarK, Now i've updated  https://etherpad.openstack.org/p/fwaas-v2-l2  local.conf with OVS fw driver and L2-agent
14:24:59 <SridarK> yushiro: yes thanks for that
14:25:16 <xgerman_> +1
14:25:20 <SridarK> annp: anything else u would like to discuss ?
14:25:30 <annp> that's all from me :)
14:25:40 <annp> please go ahead
14:25:41 <SridarK> i think chandanc may be off this week
14:25:46 <yushiro> annp, I'll paste ovs-ofctl dump-flows br-int for testing.
14:26:09 <SridarK> yushiro: yes good idea
14:26:11 <annp> yushiro, really cool. it useful for debugging
14:27:10 <SridarK> and on default fwg - i think we are ready to go - in a way it would make sense for this to get after the L2 agent patch
14:27:36 <SridarK> but looks like it is in need of a blessing from CI
14:28:03 <SridarK> yushiro: annp anything else u would like to discuss on L2
14:28:17 <yushiro> SridarK, 1 thing.  We've separated perfectly default fwg and l2-agent patch.
14:28:18 <SridarK> overall i think some great progress on this
14:28:28 <SridarK> yushiro: +1
14:28:44 <yushiro> 1. default fwg   2. l2-agent   3. Auto-association default fwg in l2-agent
14:28:52 <reedip_> hey guys , sorry, its a festival in India  ....  something similar to Hanabi
14:28:54 <reedip_> https://g.co/kgs/xgt8SL
14:29:03 <reedip_> late to join tjhe meeting
14:29:17 <SridarK> and mlavalle also many thanks for increasing the priority on the blueprint (and for joining the mtg)
14:29:28 <SridarK> reedip_: no worries
14:29:33 <SridarK> ok lets move on
14:29:37 <yushiro> Patch '3.' is just updating handle_port()...
14:29:45 <yushiro> That's all.
14:29:49 <SridarK> yushiro: ok
14:30:15 <yushiro> reedip_, sounds exellent :)
14:30:18 <SridarK> that makes more sense to me
14:30:20 <mlavalle> SridarK: should it be higher. I wanted to give it visibility, but not put the team on the spotlight, without your consent
14:30:22 <SridarK> no
14:30:37 <SridarK> mlavalle: no that is fine i think - we are making progress
14:30:43 <xgerman_> +!
14:30:43 <mlavalle> cool
14:30:49 <SridarK> mlavalle: thx again
14:31:17 <xgerman_> mlavalle when will Q-1 be cut?
14:31:29 <mlavalle> today
14:31:41 <mlavalle> we had a patch lined up last night
14:31:58 <mlavalle> but still marked as WIP
14:31:58 <SridarK> and lets get in annp's patch on constraint for port_id
14:32:17 <yushiro> SridarK, +1
14:32:20 <xgerman_> +1
14:33:24 <annp> SridarK: Is there some concerning?
14:33:40 <openstackgerrit> Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Adding unique contraint for port_id  https://review.openstack.org/512154
14:33:41 <SridarK> ok on Q-1 - i think we are ok with L2 stuff getting in over the next few days and be part of Q-2
14:34:07 <reedip_> I think the migration in the port ID is not needed , TBH
14:34:15 <reedip_> I guess I am late for the party though :)
14:34:17 <SridarK> annp: no concerns - i think we are good on that - i will review again and we can close that
14:34:35 <annp> SridarK, Ok! :)
14:34:52 <xgerman_> +1
14:34:59 <SridarK> reedip_: we had some discussion on that but lets come back to that
14:35:05 <yushiro> reedip_, we talked about that before.  I think it's better to keep current approach because we've already published fwaas v2 with L3.
14:35:16 <SridarK> #topic Queens Dashboard
14:35:31 <reedip_> yushiro : hmm .. ok, lets take it up in a while
14:35:35 <SridarK> #link https://review.openstack.org/#/c/475840/
14:35:59 <SridarK> thanks SarathMekala amotoki and yushiro for jumping in as well
14:36:16 <SridarK> we have our first cut of dasboard support in
14:36:26 <yushiro> You're welcome!!!
14:36:36 <amotoki> thanks all
14:36:50 <SridarK> i think we acknowledge that there may be some tweaking reqd but it is good to have this
14:37:05 <amotoki> who wants to cut a release? it does not follow cycle-with-milestones, so we need to cut a release separately
14:37:25 <SridarK> and hopefully with L2 support in - it will be an incremental effort to add that
14:37:53 <amotoki> another info: please file bugs on remaining things on v2 dashboard with v2-dashboard tag
14:38:01 <reedip_> amotoki : ok
14:38:01 <amotoki> https://bugs.launchpad.net/neutron-fwaas-dashboard/+bugs/?field.tag=v2-dashboard
14:38:19 <SridarK> amotoki: thx for the info
14:38:20 <openstackgerrit> Nguyen Phuong An proposed openstack/neutron-fwaas master: Adding unique constraint for port_id  https://review.openstack.org/512154
14:38:27 <amotoki> and we need a release note for v2 dashboard before the release
14:38:38 <yushiro> amotoki, I'd like to help for cutting.  But I'm newbee :)
14:38:55 <amotoki> yushiro: i can help you if you'd try
14:38:59 <yushiro> amotoki, Thanks for launchpad link.  I'll migrate from etherpad to launchpad for bug.
14:39:10 <amotoki> yushiro: it is a simple thing
14:39:19 <yushiro> amotoki, Yes, thanks.
14:39:50 <SridarK> amotoki: thx, yushiro then we can take turns
14:40:24 <amotoki> one more thing: have anyone checked zuulv3 integration with fwaas dashboard?
14:40:24 <yushiro> :)
14:40:45 <yushiro> sorry, not yet.
14:40:52 <hoangcx_> amotoki: Yes. I do
14:40:59 <xgerman_> yeah, I was hoping it would be one of the instances where it works automagically
14:40:59 <reedip_> no, but I think there is a patch for zuul by hoangcx_
14:41:14 <reedip_> xgerman_ too positive :)
14:41:27 <SridarK> hoangcx_: can u point to ur patch pls
14:41:35 <amotoki> yeah, the dashboard consumes horizon, so one fix is needed.
14:41:42 <amotoki> this is what hoangcx_ proposed
14:41:42 <hoangcx_> https://review.openstack.org/#/c/513336/
14:41:51 <SridarK> hoangcx_: thx
14:42:08 <xgerman_> sweet
14:42:23 <hoangcx_> I fixed gate for fwaas and then the dashboard
14:42:45 <yushiro> hoangcx_, thanks
14:42:54 <SridarK> hoangcx_: thx
14:44:53 <SridarK> anything further on dashboard ?
14:45:03 <SridarK> if not we can move on
14:45:04 <amotoki> nothing from me
14:45:18 <SridarK> ok
14:45:26 <SridarK> #topic Open Discussion
14:45:42 <SridarK> doude: thx for the pointer to the doc in last mtg
14:45:54 <doude> np
14:45:57 <yushiro> amotoki, would it be possible to support cutting tomorrow?
14:46:03 <doude> did you had tie to look at it?
14:46:09 <yushiro> s/cutting/cutting release
14:46:15 <doude> s/tie/time
14:46:15 <SridarK> doude: not yet
14:46:22 <doude> and on the review?
14:46:32 <SridarK> doude: but i will look and we can discuss more from next week
14:46:42 <xgerman_> TC elections this week; next PTG week of 2/26 in Dublin,. Ireland
14:46:44 <SridarK> if u think we are ready we can make that a regular topic
14:47:01 <doude> don't hesitate to ping me on IRC (I'm in French time zone)
14:47:10 <SridarK> doude: ok thx
14:47:13 <doude> yes
14:47:13 <amotoki> yushiro: perhaps I can
14:47:14 <reedip_> tahts UTC +2 , right?
14:47:14 <xgerman_> but doing CA hours?
14:47:16 <doude> Do you think it could land for Queens release?
14:47:23 <yushiro> amotoki, or today's midnight? (just joking) haha
14:47:24 <doude> yes UTC+2
14:47:33 <SridarK> xgerman_: will u be able to make the summit ?
14:47:36 <amotoki> yushiro: both works for me :)
14:47:38 <xgerman_> nope
14:47:52 <SridarK> doude: i think we can defn focus on that
14:48:11 <SridarK> once the L2 support is in - that should make things easier to prioritze
14:48:38 <doude> ok so until L2 stuff merge we can discuss the solution
14:48:42 <yushiro> amotoki, You're always superman :)  Please help me in tomorrow's morning.
14:48:48 <SridarK> doude: sounds good
14:49:06 <doude> and then when we decided how we'll proceed, I'll rebase my patch and update it
14:49:10 <SridarK> yushiro: +1
14:49:53 <amotoki> no problem. only difference is to go to bed early or to get up later :)
14:49:55 <xgerman_> +1
14:50:01 <SridarK> :-)
14:50:31 <yushiro> hahaha
14:50:49 <SridarK> I hope many of the folks will be at the summit
14:51:09 <reedip_> Nope ...
14:51:15 <yushiro> aha, 1 thing from me.
14:51:27 <reedip_> I have a forum topic but doesnt seem to that I would be going yet
14:51:37 <yushiro> Folks,  would you write your name if you join Sydney summit?  https://etherpad.openstack.org/p/fwaas-meeting
14:51:56 <yushiro> in Sydney summit attendee: section :)
14:52:02 <SridarK> reedip_: oh ok
14:52:32 <yushiro> reedip_, yeah, I checked you have a presentation :)
14:53:15 <yushiro> annp, I think to test with ovs fw driver.  Is it better to change sg driver for 'openvswitch' ?
14:53:39 <SridarK> yushiro: oh yes u bring up a good point
14:53:45 <xgerman_> +1
14:53:49 <annp> yushiro, yes.
14:54:02 <yushiro> OK, I'll describe in etherpad.
14:54:09 <SridarK> do we have to support SG on iptables ?
14:54:11 <annp> Please change! and let see what will happen :)
14:54:22 <xgerman_> yeah, but we should be able to run against an iptables SG, too?
14:54:34 <xgerman_> that would be similar to FWaaS stabd-alone
14:54:41 <annp> SridarK, I'm not sure, I haven't tested with this case.
14:54:50 <SridarK> annp: when u tested for co-existence with SG
14:55:02 <SridarK> what driver for SG did u use ?
14:55:09 <annp> I just tested with SG based ovs and fwg
14:55:22 <SridarK> annp: ok that is what i thought
14:55:37 <SridarK> and that seems to be the more straightforward case to support
14:55:49 <annp> yes, I think so.
14:56:00 <yushiro> done
14:56:01 <annp> We shouldn't care too much. :)
14:56:16 <yushiro> Plz check 'How to configure some config files:' section after deployed devstack.
14:56:18 <reedip_> care about what ??? ::)
14:56:19 <xgerman_> yep, as long as we document it
14:56:55 <annp> reedip, we shouldn't care iptables hybrid
14:57:01 <yushiro> yes,  SG and FWG on OVS.  That is our real target.
14:57:02 <reedip_> kk
14:57:49 <annp> +1 yushiro.
14:57:51 <amotoki> if hybrid plug and hybrid SG driver are used, FW rules are applied at ovs flow and SG rules are applied at linuxbrige
14:57:53 <hoangcx_> I think we need to documented it out for something like "internal fwaas" as neutron does to help other contributor understand
14:58:12 <xgerman_> +1
14:58:34 <amotoki> i believe it works so ovs native support from fwaas is enough. is it right?
14:58:45 <yushiro> amotoki, +100
14:58:59 <SridarK> yes agreed
14:59:00 <xgerman_> yep — I just thoiught we would get the Hyvrid for free
14:59:05 <yushiro> Yes, that is our target.
14:59:21 <annp> amotoki, yes, But i'm not sure. Let try to test with this case
14:59:45 <SridarK> ok we are at time (not that there is another mtg in our channel) but lets conform to the time
14:59:57 <reedip_> we have some DVR related issues as well .. I couldnt look into them but SridarK we need some input once you have time
15:00:00 <SridarK> Thanks all for attending
15:00:07 <amotoki> annp: yeah. needs tests. anyway the order of rule enforcements is important.
15:00:12 <SridarK> reedip_: got it
15:00:16 <xgerman_> +1
15:00:17 <SridarK> #endmeeting