#openstack-fwaas log

14:02:13 <SridarK> #startmeeting fwaas
14:02:13 <openstack> Meeting started Thu Oct 26 14:02:13 2017 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:13 <reedip_> did the Daylight saving start ?
14:02:14 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:02:17 <openstack> The meeting name has been set to 'fwaas'
14:02:25 <SridarK> #chair xgerman_ yushiro
14:02:26 <openstack> Current chairs: SridarK xgerman_ yushiro
14:02:32 <SridarK> xgerman_: sorry pls go ahead
14:02:52 <SridarK> reedip_: no that is Nov 5 i believe
14:03:46 <xgerman_> One sec my computer is still booting
14:03:56 <reedip_> i5 or i7 ?
14:04:02 <SridarK> xgerman_: no worries
14:04:04 <xgerman_> i5 — but here I am
14:04:12 <yushiro> NP
14:04:13 <xgerman_> #topic Announcements
14:04:23 <reedip_> :)
14:04:32 <xgerman_> Neutron Q-1 was cut yesterday
14:04:44 <xgerman_> Newton also went EOL yesterday
14:04:51 <xgerman_> and we have a new TC
14:05:01 <reedip_> damn .. it seems only like yesterday that we were working on newton
14:05:03 <reedip_> :P
14:05:37 <doude> hi
14:05:47 <reedip_> hi doude
14:06:15 <xgerman_> yeah, I don’t have a TC link handy so you’ll need to google that ;-)
14:06:56 <reedip_> https://www.openstack.org/foundation/tech-committee/ ?
14:07:31 <xgerman_> thanks reedip_
14:07:33 <xgerman_> #topic Queens L2 support
14:07:49 <xgerman_> So we didn’t get that into Q-1 but got close!!
14:08:38 <xgerman_> yushiro what’s the latest?
14:08:45 <yushiro> xgerman_, sure.
14:09:11 <yushiro> #link https://etherpad.openstack.org/p/fwaas-v2-l2   Please refer 'Test cases for OVS firewall driver:' section
14:09:34 <SridarK> yushiro: thx this i think makes it more clear to test
14:09:45 <SridarK> and i think we can add more to it
14:09:47 <xgerman_> +1
14:10:02 <annp> yushiro, thanks
14:10:07 <yushiro> Now, I tested a few patterns.
14:10:16 <SridarK> I had some PTO this week so not much progress from me on testing - but will defn do some now
14:10:49 <xgerman_> I am swamped at work so not much FWaaS testing from me (though found some Octavia bugs I now need to fix)
14:10:57 <SridarK> but yushiro this is very clear
14:11:48 <yushiro> I'm checking diff before/after ovs-ofctl dump-flows br-int for OVS firewall driver.
14:13:05 <yushiro> e.g. If we add 'allow' icmp rule, it is added http://paste.openstack.org/compare/624411/624408/
14:14:01 <xgerman_> ok, and we are aiming for FWaaS standalone (switch off SG for test)?
14:14:16 <xgerman_> just double checking
14:14:42 <yushiro> xgerman_, yes, sure.  Now I'm testing sg + fwg  with 'openvswitch' driver.
14:14:43 <reedip_> annp just pushed a patch for SG and FWG
14:15:12 <annp> yes, https://review.openstack.org/#/c/515368/2
14:15:29 <xgerman_> awesome - I think this needs to be our default
14:15:57 <yushiro> annp, If we add 'deny' icmp rule, what rule will be added in ovs flow?  I tested before, but no specific rule is added.
14:16:50 <annp> yushiro, if you add deny icmp, no flows related icmp is added.
14:17:14 <annp> yushiro, icmp packets will be dropped.
14:17:38 <yushiro> annp, aha, OK.  thx.
14:17:59 <annp> regarding to fwg and sg can work as a defense in depth solution
14:18:55 <yushiro> annp, (start) ---> fwg ---> sg ---> (end)  Is that right?
14:18:55 <annp> my patch is under develop, however it can work with security group based ovs, for iptables_hybrid needs more works.
14:19:16 <xgerman_> yeah, I think most installs have SG and until we offer some sort of migration co-existance is the way to go
14:19:44 <annp> yushiro, it's right in https://review.openstack.org/#/c/515368/2
14:19:59 <xgerman_> well, let’s get OVS into Q-2 and then we cna worry about hybrid later ;-)
14:20:25 <yushiro> xgerman_, +1  We should target 'openvswitch' firewall driver first.
14:20:49 <annp> xgerman_, tomorrow, i will remove hybrid and make it available for testing and reviewing. thanks.
14:21:07 <SridarK> yes i think that is best
14:21:23 <xgerman_> +1
14:21:27 <xgerman_> #topic Queens Dashboard
14:21:37 <annp> yushiro, regarding to l2 agent patch
14:21:59 <yushiro> yes
14:22:16 <annp> yushiro, we're missing allowed_address_pair and 'port_security_enabled' in port_details
14:22:57 <annp> yushiro, These attrs need for ovs driver
14:23:13 <SridarK> Also annp on the driver PS - are u good with things ?
14:23:14 <annp> yushiro, can i update l2 agent patch?
14:23:28 <yushiro> annp, OK, plz update.
14:23:43 <yushiro> annp, I think that is good point.
14:23:57 <annp> SridarK, yes! we need these attrs
14:24:31 <SridarK> thx annp
14:24:47 <yushiro> annp, I still don't get the point why these parameter is necessary for fwaas.  Please tell me after :)
14:25:00 <yushiro> s/is/are
14:25:01 <xgerman_> well port_security makes sense
14:25:11 <annp> ok, let me paste link for you
14:25:19 <yushiro> xgerman_, regarding dashboard
14:25:30 <xgerman_> yep, did we cut the release
14:25:31 <xgerman_> ?
14:25:32 <reedip_> guys ,I would be leaving now, will check the logs later .. sorry, urgent work
14:25:42 <yushiro> I'm so sorry  I couldn't have bandwidth to cut release yet.
14:25:53 <yushiro> in last week.
14:26:02 <annp> https://review.openstack.org/#/c/447251/46/neutron_fwaas/services/firewall/drivers/linux/l2/openvswitch_firewall/firewall.py@125
14:26:11 <yushiro> amotoki, hi,  are you there?
14:27:15 <yushiro> annp, ah, we should allow from/to mac_address which includes 'allowed_address_pairs'.  Thanks.
14:27:42 <xgerman_> ok, let’s try this week — ping me if you run into trouble and I will lean on some people I know who cut releases frequently (armax ahem)
14:27:47 <annp> SridarK, xgerman_, yuhsiro, I think allowed_address_pair is added on neutron. So I think we can keep this feature for neutron port
14:28:16 <xgerman_> yes, we need to support it — most people use it
14:28:27 <SridarK> +1
14:28:30 <xgerman_> but it’s an extension - so technically need to be able to run without
14:28:41 <xgerman_> but not Q-2
14:28:55 <annp> xgerman_, you're right.
14:28:59 <yushiro> xgerman_, I think so.
14:29:52 <yushiro> xgerman_, sure.  I will.
14:30:11 <yushiro> xgerman_, And, I'll migrate existing bugs for dashboard into launchpad.
14:30:28 <xgerman_> ok, thanks
14:30:30 <yushiro> from https://etherpad.openstack.org/p/fwaas-v2-dashboard
14:30:40 <xgerman_> sounds good
14:30:48 <annp> that's all from me. :)
14:30:56 <xgerman_> thanks!
14:31:12 <yushiro> SarathMekala, If you find another bug on dashboard,  feel fee to file a bug into fwaas dashboard launchpad :)
14:31:22 <yushiro> s/fee/free
14:31:28 <amotoki> yushiro: hi
14:31:37 <xgerman_> hi
14:31:40 <SarathMekala> hi yushiro .. yes... I was planning to sync up with you on that
14:31:57 <amotoki> ah... fwaas meeting time :)
14:32:02 <xgerman_> yes, I was curious about our next development after the Q-1 release
14:32:33 <xgerman_> or are we focusing on bug fixes?
14:32:44 <yushiro> amotoki, hi.  Sorry for last week.  I couldn't reach out you to get your help for cutting release.
14:33:21 <amotoki> yushiro: sorry too. it is not complicated.
14:33:28 <yushiro> xgerman_, SarathMekala Currently, there is no critical bug on dashboard.
14:33:38 <SarathMekala> xgerman_, you are right we need to do both
14:34:03 <SarathMekala> I have some thoughts on improving the UI screens.. will do a write up and share to the team
14:34:27 <SarathMekala> yushiro, good to know :)
14:34:32 <xgerman_> amotoki should we do a spec for that
14:34:34 <xgerman_> ?
14:34:52 <amotoki> xgerman_: on dashboard imporvements?
14:34:56 <xgerman_> yep
14:35:11 <amotoki> i think it is better to use a blueprint in neutron-fwaas-dashboard launchpad
14:35:50 <amotoki> if you prefer to RFE bugs, it also works :)
14:35:52 <xgerman_> ok, SarathMekala if you could do your writeup in a blueprint —much appreciated
14:36:06 <SarathMekala> xgerman_, sure.. will do that
14:36:13 <amotoki> there is no need to discuss with the driver team. it's an UI project
14:36:13 <xgerman_> thanks
14:36:20 <yushiro> Changing UI needs spec, OK I understood.
14:36:32 <SridarK> SarathMekala: but for some prelim discussion with screenshots and to get some discussions going - google doc could be a first step leading to a bp
14:36:54 <SarathMekala> SridarK, got it..
14:37:00 <xgerman_> +1
14:37:02 <yushiro> SridarK, +1
14:37:24 <amotoki> that would be a good idea
14:37:24 <SarathMekala> will start with a google doc and will create a blueprint after some priliminary discussions
14:37:47 <amotoki> SarathMekala: you can create a blueprint and add a link to a google doc
14:38:05 <SarathMekala> amotoki, +1
14:38:31 <yushiro> SarathMekala, Could you discuss with me about 'bug' or 'improvement' in https://etherpad.openstack.org/p/fwaas-v2-dashboard
14:38:39 <yushiro> later ?
14:39:14 <SarathMekala> yushiro, sure
14:39:22 <yushiro> SarathMekala, OK, thank you.
14:39:28 <SarathMekala> we need to clean up the etherpad as well
14:40:36 <amotoki> IMHO it is better to file bugs rather than tracking remaining things in the etherpad
14:40:55 <xgerman_> +1
14:41:11 <xgerman_> especially after release
14:41:14 <yushiro> amotoki, all of etherpad?
14:41:44 <amotoki> yushiro: yeah, all *remaining* topics
14:41:53 <xgerman_> yes, so users don’t file known bugs
14:42:07 <yushiro> amotoki, Aha OK, will do it.
14:42:16 <amotoki> yushiro: it is not clear to me what are remaining (in "Blocking Issues" section)
14:42:27 <SarathMekala> right.. will sync up with yushiro on this
14:42:40 <amotoki> "How to Install" should be converted into the in-tree doc
14:43:06 <amotoki> https://bugs.launchpad.net/neutron-fwaas-dashboard (with v2-dashboard tag)
14:43:07 <xgerman_> action convert “How to Install"  into the in-tree doc
14:43:18 <xgerman_> #action convert “How to Install"  into the in-tree doc
14:44:00 <yushiro> amotoki, 'Blocking Issues' was mandatory issues to solve before merging v2 dashboard.  So, it's OK to ignore.
14:44:39 <amotoki> yushiro: okay. I was just not sure the status of each item
14:44:53 <amotoki> for the install documentation, perhaps https://docs.openstack.org/neutron-fwaas-dashboard/latest/install/index.html and https://docs.openstack.org/neutron-fwaas-dashboard/latest/contributor/devstack-plugin.html covers almost all. if any, let's add it.
14:45:31 <SarathMekala> amotoki, true..this doc needs to be cleaned up to track only pending issues...
14:45:33 <yushiro> 'Future improvements' are our next target.
14:45:42 <SridarK> amotoki: yes Blocking Issues have all been addressed
14:46:01 <amotoki> SridarK: yushiro: good news. thanks
14:46:14 <xgerman_> ok, let’s move to
14:46:19 <SridarK> amotoki: +1 on updating the docs
14:46:39 <xgerman_> #topic Open Discussion
14:46:54 <xgerman_> I know we have some specs which need attention
14:47:42 <yushiro> yes
14:49:05 <yushiro> #link https://review.openstack.org/#/c/461657/  I'll reply to ZhaoBo
14:49:23 <xgerman_> thanks —
14:50:18 <xgerman_> SridarK any update on CCF?
14:50:25 <yushiro> #link https://review.openstack.org/#/c/509725/  firewall logging  extension. (However, logging API in neutron is now trying to merge)
14:50:37 <yushiro> stay tuned!!
14:50:39 <SridarK> xgerman_: no i will write that up too and then link it to a bp
14:51:04 <xgerman_> ok, great
14:51:23 <yushiro> hoangcx, annp and I are discussing more detail design now.
14:51:33 <amotoki> this RFE is marked as rfe-postponed. if we have a volunteer to move this forward, we can change the tag to rfe-approved
14:51:52 <amotoki> https://bugs.launchpad.net/neutron/+bug/1628627 is the RFE bug for https://review.openstack.org/#/c/461657/
14:51:54 <openstack> Launchpad bug 1628627 in neutron "In FWaaS, when someone makes a change to a firewall rule we know, Who, What, When, and Where" [Wishlist,In progress] - Assigned to zhaobo (zhaobo6)
14:52:40 <xgerman_> yeah, let’s aim for L2 in Q-2 and then we tackle other stuff ;-)
14:52:57 <hoangcx_> xgerman_: +1
14:53:44 <doude> did you established the list of 'other stuff'?
14:53:58 <amotoki> yushiro: for https://review.openstack.org/#/c/509725/, is there a RFE bug?
14:54:09 <mlavalle> is that the one for audit?
14:54:45 <SridarK> doude: i think we can take on ur changes
14:54:56 <hoangcx_> amotoki: https://bugs.launchpad.net/neutron/+bug/1720727
14:54:57 <openstack> Launchpad bug 1720727 in neutron "[RFE] (Operator-only) Extend logging feature to support for FWaaS v2" [Wishlist,Confirmed]
14:55:03 <doude> cool :)
14:55:04 <yushiro> amotoki, yes
14:55:10 <xgerman_> SridarK +1
14:55:13 <doude> did you had time to look at it?
14:55:20 <amotoki> hoangcx_: ah.. I found it in the content, but no reference in the commit msg. just it
14:55:21 <SridarK> doude: are u going to be at the summit
14:55:28 <doude> yes I'll
14:55:49 <hoangcx_> amotoki: It will change status of the bug and it will not go to the list of driver team attention
14:55:57 <doude> Mon-Thu
14:56:02 <yushiro> amotoki, We need to check 'rfe-approved',  is it necessary from driver-team ?
14:56:06 <SridarK> doude: no i have been swamped - perhaps we can sit together with yushiro and others who will be there
14:56:15 <mlavalle> amotoki: RFE 1628627 is baing actively pursued by zhobo
14:56:17 <doude> sure
14:56:26 <yushiro> doude, I'll be there :)
14:56:53 <amotoki> mlavalle: yes, I noticed that a few minutes ago.
14:56:56 <doude> I'll prepare that. Is there an FWaaS etherpad to organize the summit?
14:56:59 <mlavalle> cool
14:58:05 <SridarK> #link https://etherpad.openstack.org/p/fwaas-sydney-discussions
14:58:17 <SridarK> doude lets use this to coordinate
14:58:40 <xgerman_> ok, one minute left
14:58:52 <mlavalle> SridarK, doude: you both going to Sydney?
14:59:00 <amotoki> before closing the meeting, let me share https://review.openstack.org/#/c/501978/ (devstack patch)
14:59:01 <SridarK> mlavalle: yes
14:59:11 <amotoki> I think it is related to fwaas as well
14:59:27 <SridarK> mlavalle: we can discuss the audit bp more in detail in person too
14:59:53 <SridarK> mlavalle: i think this a useful feature for compliance etc to have
14:59:59 <xgerman_> let’s try to do that in addition to commenting on the spec
15:00:04 <mlavalle> ++
15:00:19 <xgerman_> #endmeeting