18:30:45 #startmeeting Networking FWaaS 18:30:46 Meeting started Wed Feb 18 18:30:45 2015 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:30:48 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:30:50 The meeting name has been set to 'networking_fwaas' 18:30:55 SumitNaiksatam: , vishwanathj badveli hi 18:31:03 #info metting agenda https://wiki.openstack.org/wiki/Meetings/FWaaS#Agenda_for_Next_Meeting 18:31:07 SridarK, badveli, Hi 18:31:48 #info we are in Kilo-3 (last milestone to get features merged) 18:32:05 hello all 18:32:35 #info kilo-3 is March 19th 18:33:01 anything else anyone wants to share? 18:33:08 SumitNaiksatam, I thought it was March 5th, maybe I mistaken 18:33:30 vishwanathj: you might as well treat it as March 5th ;-) 18:33:49 :-) 18:34:14 :) 18:34:25 patches have to posted by march 5th 18:34:35 oh, I see 18:34:45 and merged by march 19th (barring exceptions) 18:35:12 #topic Bugs 18:36:10 i just noticed this: #lik https://bugs.launchpad.net/neutron/+bug/1418196 18:36:11 Launchpad bug 1418196 in neutron "fwaas: driver base class is stale" [Undecided,In progress] - Assigned to yalei wang (yalei-wang) 18:36:57 and i think there is a patch: #link https://review.openstack.org/#/c/153930/ 18:37:32 SumitNaiksatam: hmm - i saw the bug 18:37:39 SumitNaiksatam: but missed the review 18:37:52 SumitNaiksatam: i am not sure we need to do this 18:38:00 SumitNaiksatam: i will comment 18:38:03 SridarK: okay 18:38:33 there is a new doc bug: #link https://bugs.launchpad.net/openstack-manuals/+bug/1419498 18:38:35 Launchpad bug 1419498 in openstack-manuals "Networking services in OpenStack Security Guide - FWaaS Section Updates" [Undecided,New] 18:39:19 any takers? 18:39:29 I can take it 18:39:51 vishwanathj: thanks! 18:40:05 Should I assign it to myself or are you going to assign it? 18:40:21 vishwanathj: yes sure 18:40:33 vishwanathj: i think you should be able to assign it 18:40:47 SridarK: badveli: I dont see any other high priority issues 18:40:50 SumitNaiksatam, I was able to, thanks 18:41:05 SumitNaiksatam: yes - there was another review u pointed me to 18:41:08 vishwanathj: great 18:41:21 #link https://review.openstack.org/#/c/147396/ 18:41:25 SridarK: yeah, i have not been able to get back to that either 18:42:01 SumitNaiksatam: i commented on that, i am okay with that - waiting for Jenkins issues to get fixed 18:42:26 SumitNaiksatam: i requested some additional validation which the author has added 18:42:52 SridarK: right, seems to be failing UTs 18:43:07 SumitNaiksatam: yes also had some pep8 18:43:10 earlier 18:43:21 SridarK: true 18:43:37 lets wait for it to pass Jenkins 18:43:44 yes i am not able to check any other bugs 18:43:44 SumitNaiksatam: when i have a bit more cycles will work with him too 18:44:13 i believe the author’s claim is that its not breaking the cases we had mentioned 18:44:43 there is this general packaging bug: #link https://bugs.launchpad.net/neutron/+bug/1422376 18:44:44 Launchpad bug 1422376 in neutron "enable package test suites: dependency on generated egg from git.openstack.org" [Undecided,Incomplete] 18:44:52 and there was some discussion in the ML around it 18:45:02 i think at this point we are not changing anything 18:45:55 anything else in terms of bugs? 18:46:12 SumitNaiksatam: none that i am aware of 18:46:19 SridarK: okay, thanks 18:46:30 np at all 18:46:33 #topic Firewall Insertion 18:46:41 #link https://review.openstack.org/152697 18:46:45 SridarK: over to you 18:46:51 SumitNaiksatam: thx 18:47:01 Some basic things begin to work 18:47:12 I am able to do an end to end test with a single router insertion for CRUD. Update is a bit more tricky now as we need to selectively delete or add FW to specific routers. Some cleanup to push patch up. 18:47:42 I am doing testing with a single router insert, update, delete 18:47:45 #chairs SridarK vishwanathj badveli 18:47:55 #chair 18:47:56 Current chairs: SumitNaiksatam 18:48:09 #chair SridarK vishwanathj badveli 18:48:10 Current chairs: SridarK SumitNaiksatam badveli vishwanathj 18:48:22 sorry, anticipating network issues 18:48:23 thus far i have these things working 18:48:30 ok i figured 18:48:42 What remains is to support list of routers on the db side for the access methods. And UT. And i am sure small things here and there. 18:48:54 SridarK: nice 18:48:59 SumitNaiksatam, what does that mean? Current chairs? pardon my ignorance 18:49:13 vishwanathj: in case i drop off, you can close the meeting 18:49:21 got it, thanks 18:49:27 SridarK: sorry for the distraction 18:49:30 SumitNaiksatam: i have hacks all over the place - want to clean that out and push a patch up 18:49:31 np 18:49:46 SridarK: okay, i noticed some comments from other cores 18:49:48 hacks - meaning more debug logs 18:50:54 SridarK: okay 18:50:59 SumitNaiksatam: yes on the tempest front, Nikolay will be working on that 18:51:27 i wanted to touch base with pc_m before but today has been mtg day from early am 18:51:34 SridarK: awesome, i noticed his patch was abandoned 18:51:48 we can cover the agent refactor here 18:51:59 SumitNaiksatam: yes he will pick this 18:52:03 SridarK: We can chat later, jsut ping me 18:52:20 pc_m: thanks 18:52:20 SumitNaiksatam: perhaps some synchronization has to happen with api tests 18:52:32 SridarK: can you request him to update: #link https://wiki.openstack.org/wiki/Neutron/FWaaS/KiloPlan as well? 18:52:45 SumitNaiksatam: i think i added him 18:52:59 pc_m: sure 18:53:03 SridarK: yeah, i meant gerrit patch 18:53:11 SumitNaiksatam: ok will do 18:53:12 reference 18:54:00 SridarK: any blocking issues? 18:54:12 SumitNaiksatam: nothing now 18:54:24 SumitNaiksatam: more neurons will help ;-) 18:54:24 SridarK: nice 18:54:29 SridarK: :-) 18:54:49 in my case, its - some neurons will help 18:54:49 Lets discuss a bit on the L3 agent refactor implications 18:54:50 SridarK, let me know if there is any way that I can help or contribute to your efforts 18:54:55 :-) 18:55:06 thx vishwanathj 18:55:25 i will discuss more with pc_m also 18:55:26 #topic FWaaS L3 agent refactoring/restructuring 18:55:31 SridarK: go ahead 18:55:33 ok 18:56:01 so with the new model since router insert and del is driven from the plugin 18:56:12 it simplifies the agent side as we had discussed 18:56:36 so router add/del notification may not be needed on the agent 18:56:47 the plugin can take care of that side 18:56:58 not sure if we want to put a FK constraint 18:57:11 but that will kind of happen on the plugin 18:57:27 the other thing on i/f add/del 18:57:40 since we install the rules on qr* 18:57:53 we may not need to worry about this 18:58:07 this is my current thought 18:58:21 by saying "we need not have to worry" 18:58:30 i have probab jinxed it already :-) 18:58:36 SridarK: :-) 18:58:45 sorry too much typing 18:58:57 will discuss this more with pc_m 18:59:05 okay so on the FK, this will be on router? 18:59:17 and also once i update the patch it will become easier for folks to see 18:59:27 SumitNaiksatam: i am thinking if we need to do that 18:59:28 yes 18:59:47 SridarK: i am thinking it might be better to avoid FK constraints 19:00:08 SumitNaiksatam: yes exactly what i started typing 19:00:09 SridarK: since they are not always supported across DBs 19:00:31 SumitNaiksatam: and if a router is deleted then the fw for that is gone 19:00:44 other routers should still have the fw 19:00:59 SumitNaiksatam: and this should work automatically 19:01:25 SumitNaiksatam: thats all i had 19:01:31 SridarK: okay, to the extent we can lets implement those constraints in the code 19:01:46 SumitNaiksatam: ok 19:01:59 Sridark, i am not able to follow you, could you please help what are we doing 19:02:36 badveli: sure this is with router insertion and l3 agent refactor implications 19:03:10 badveli: with the router insertion model we are changing the fundamental behavior in the agent 19:03:28 badveli: the agent no longer tries to determine the routers on a tenant 19:03:40 badveli: the plugin tells the agent 19:03:58 this becomes part of the fw dict we send from the plugin to the agent 19:04:20 badveli: so we can remove some of that old code 19:04:34 thanks sridark, ok the plugin directly sends the fw dict 19:04:36 thanks 19:05:00 badveli: yes as before, but now it also send the routers the fw is to be inserted on 19:05:51 badveli: pls ping me if u other questions 19:05:57 *have 19:05:59 With the refactoring... before the device drivers were talking directly to the agent (to get router info) 19:06:17 If you no longer have that need, then may not have refactoring to do. 19:06:32 (need to get router info from device driver) 19:06:41 pc_m: no change on the agent - device driver interface 19:07:04 the agent will still call into the device driver (iptables) with the router list 19:07:31 pc_m: the changes are confined to the agent and the agent - plugin interaction 19:07:45 SridarK: Will device driver need to access the router (calling back to the agent to get router info)? 19:08:08 pc_m: no the device driver is given the router 19:08:22 sridark, the agent will not longer be able to access the router info? 19:09:05 badveli: it will get the router-id - using the router-id it gets the ri list 19:09:20 no change there either 19:09:56 the only change is the agent used to get the list of all routers on the tenant 19:10:01 SridarK: pc_m: accessing the router info works the same way as before (after the l3 agent refactor)? 19:10:17 ok, this change is needed only to update where is the firewall applied, correct? 19:10:19 the plugin did not provide this before now it does 19:10:40 badveli: yes 19:10:57 SumitNaiksatam: yes i believe so 19:11:17 as we are in the inheritance hierarchy 19:11:22 we can access router-info 19:11:28 no change there 19:11:54 SridarK: We can chat off-line to see if there is any refactoring needed for FWaaS. For VPN we needed to break the coupling between driver and agent. 19:12:05 pc_m: yes lets do that 19:13:01 SumitNaiksatam: i think that all i had 19:13:16 pc_m: SridarK: it might be good to get the summary of that conversation for the rest of the team 19:13:26 SumitNaiksatam: yes i will do that 19:14:00 perhaps an email summary will be good (i think there is some concern here with some of the vendor drivers which are currently leveraging this interaction) 19:14:39 also general comment - i am pretty lonely on #openstack-fwaas 19:14:51 so might be a good place to have offline conversations ;-) 19:14:58 SumitNaiksatam: yes on the vendor implications 19:15:00 SumitNaiksatam, I did visit you there once :) 19:15:01 SumitNaiksatam: :-) 19:15:33 vishwanathj: SridarK: ;-) 19:15:40 SridarK: thanks much for those two updates 19:15:48 SumitNaiksatam: some rewiring is needed to get to the IRC :-) 19:16:14 SumitNaiksatam: i never ever thought i would ever do anything on a db in my previous life :-) 19:16:23 so i can also hang out on IRC 19:16:25 :-) 19:16:30 SridarK: totally understand, i was just joking, please feel free to communicate in whichever is convenient and most effective! 19:16:37 SridarK: :-) 19:16:37 :0) 19:17:07 #topic Service Objects 19:17:14 badveli: over to you 19:17:37 yes sumit 19:18:19 not yet uploaded the patch, at least i will try to upload the neutron patch 19:18:25 badveli: okay 19:19:31 should it be accompanied by neutron client patch also? 19:19:46 python neutron client patch? 19:20:21 badveli: ideally yes 19:20:37 badveli: but “accompanied” is pretty subjective 19:21:02 i believe it should be posted in a reasonable frame of time so as to allow reviewers an easy way to test 19:21:18 ok, thanks sumit 19:22:27 badveli: thanks for the update 19:22:28 hopefully still my old patches 19:22:29 badveli: so we will have one for neutron (extensions), one for fwaas (backend) and cli 19:22:38 yes sumit 19:22:51 but planning to start on extensions first 19:22:59 #topic FWaaS gate jobs 19:23:26 pc_m: fwaas team owes you another big one for getting this enabled 19:23:36 +1 19:23:46 +1 19:24:34 thanks pcm 19:24:39 np guys! 19:24:40 I will need some guidance on patches with api changes and interaction with gate jobs 19:25:03 i see a chicken and egg type of problem unless i am missing something 19:25:25 SumitNaiksatam: pc_m: i will ping u guys later on this 19:25:46 SridarK: sure 19:26:03 sure 19:26:07 SridarK: you anticipate tempest tests breaking? 19:26:24 SumitNaiksatam: yes, as we now provide router ids 19:26:36 SumitNaiksatam: or rather have to provide router-ids 19:26:48 earlier was not needed 19:27:03 so on the old test we will be in PENDING_CREATE 19:27:41 we can talk later - as we are running out of time 19:27:43 SridarK: okay 19:27:55 #topic Open Discussion 19:28:04 Anything else we missed today? 19:28:10 we have 2 mins 19:28:58 the proposed talks for the Vancouver summit are now public 19:29:17 Well, the Intel McAfee FWaaS patch needs to be reviewed once they upload a new patch which passes all jenkins test 19:29:22 pc_m: and me along with doug have proposed a talk on *aaS 19:29:30 vishwanathj: yes 19:29:32 cool 19:30:06 SumitNaiksatam: on the cisco patch we are sorting out our vendor repo implications 19:30:24 SridarK: okay 19:30:34 fyi on the talk - #link https://www.openstack.org/vote-paris/presentation/neutron-mitosis-and-the-l7-services-roadmaps 19:31:09 please let the team know if there are any other related talks so that we can express our interest accordingly 19:31:14 we are out of time 19:31:18 thanks all! 19:31:22 bye 19:31:22 bye 19:31:23 thanks all 19:31:26 bye 19:31:28 #endmeeting