#openstack-meeting-3 log

18:30:56 <SumitNaiksatam> #startmeeting Networking FWaaS
18:30:57 <openstack> Meeting started Wed Apr  8 18:30:56 2015 UTC and is due to finish in 60 minutes.  The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:30:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:31:00 <openstack> The meeting name has been set to 'networking_fwaas'
18:31:01 <SridarK> badveli: yamahata: yushiro: hi
18:31:09 <badveli> hello sridark
18:31:13 <SumitNaiksatam> #topic Bugs
18:32:09 <SumitNaiksatam> this is a doc bug: #link https://bugs.launchpad.net/openstack-manuals/+bug/1440864
18:32:10 <openstack> Launchpad bug 1440864 in openstack-manuals "Firewall-as-a-Service (FWaaS) overview in OpenStack Cloud Administrator Guide - current" [Undecided,New]
18:32:19 <SumitNaiksatam> we need someone to look at it
18:33:00 <SumitNaiksatam> yushiro: regarding #link https://bugs.launchpad.net/neutron/+bug/1439383
18:33:02 <openstack> Launchpad bug 1439383 in neutron "FWaaS - the action of firewall-policy "insert_rule" and "remove_rule" not exist in policy.json" [Undecided,New] - Assigned to Yushiro FURUKAWA (y-furukawa-2)
18:33:18 <SumitNaiksatam> pc_m: hi
18:33:22 <pc_m> hi!
18:33:27 <SumitNaiksatam> yushiro: are you planning to post a patch?
18:33:34 <yushiro> pc_m, hi
18:33:54 <pc_m> yushiro: Hi
18:33:56 <yushiro> SumitNaiksatam, yes. I'll post the patch.
18:34:15 <SumitNaiksatam> yushiro: thanks!
18:34:39 <SridarK> SumitNaiksatam: i will look into 1440864
18:34:42 <SumitNaiksatam> the following is another relatively minor bug: #link https://review.openstack.org/#/c/169239/
18:34:48 <SumitNaiksatam> SridarK: thanks much
18:35:07 <SumitNaiksatam> i thought the change was good, not sure why the gate keeps failing on that, i havent investigated
18:35:43 <SumitNaiksatam> we have this high priority doc bug: #link https://bugs.launchpad.net/openstack-api-site/+bug/1425658
18:35:44 <openstack> Launchpad bug 1425658 in openstack-api-site "FWaaS needs WADL doc to be available in the API reference" [High,In progress] - Assigned to Sumit Naiksatam (snaiksat)
18:35:49 <SumitNaiksatam> i posted a patch for that
18:35:57 <SumitNaiksatam> still little more work to do
18:36:05 <SumitNaiksatam> i also volunteered co-authors ;-P
18:36:29 <SumitNaiksatam> so first priority is to bring it in sync with the older documentation
18:36:38 <SumitNaiksatam> and then add the router insertion specific details
18:36:41 <SridarK> SumitNaiksatam: I am trying to add some stuff into the common.ent file
18:36:43 <pc_m> SumitNaiksatam: Gates on 169239 is because of Neutron UT changes.
18:37:07 <SumitNaiksatam> pc_m: ah ok, the recent changes
18:37:12 <SumitNaiksatam> pc_m: thanks
18:37:28 <pc_m> SumitNaiksatam: Should be fixed by my commit https://review.openstack.org/171602. Just rebase.
18:37:30 <SridarK> SumitNaiksatam: +1 to pc_m
18:37:55 <SumitNaiksatam> pc_m: was just going to say, not sure why he didnt try a rebase
18:38:06 <SumitNaiksatam> perhaps we can post a comment with the suggestion
18:38:20 <pc_m> SumitNaiksatam: Will do.
18:38:28 <vishwanathj> should not the Rebase Change button work from the patch link
18:39:28 <pc_m> vishwanathj: Might, but might not, as there may be conflict in test file.
18:39:33 <vishwanathj> nevermind, When I do that, I get the error "The Change could not be rebased due to a patch conflict during merge"
18:39:47 <pc_m> vishwanathj: :)
18:40:08 <SridarK> test_db_firewall.py shd have conflicts
18:40:12 <pc_m> SumitNaiksatam: What;s the patch number for the doc change?
18:40:34 <SridarK> the day that button works always we will all be redundant :-)
18:40:46 <vishwanathj> :)
18:41:16 <pc_m> LoL
18:41:18 <SumitNaiksatam> pc_m: which one?
18:41:43 <pc_m> You mentioned the WADL, you have a patch? Or is it not up for review yet?
18:41:59 <SumitNaiksatam> #link https://review.openstack.org/#/c/170733/
18:42:02 <SumitNaiksatam> pc_m: ^^^
18:42:11 <pc_m> thanks
18:42:48 <SridarK> pc_m: u had filled in the common.ent file manually for vpn ?
18:43:02 <SridarK> i recall u saying something to that effect
18:43:18 <pc_m> SridarK: yeah I did everything manually.
18:43:30 <SridarK> pc_m: i will ping u offline for some pointers on that
18:43:30 * pc_m manual = cut and paste :)
18:43:42 <SumitNaiksatam> pc_m: :-)
18:43:44 <SridarK> pc_m: boy that file makes my head spin :-)
18:43:54 <SumitNaiksatam> pc_m: i took that advice to heart ;-)
18:44:16 <pc_m> SridarK: Sure we can chat. It makes sense once you play with it for a while.
18:44:28 <SridarK> pc_m: ok thx
18:44:51 <SumitNaiksatam> any other interesting bugs we missed today?
18:45:05 <vishwanathj> I need to respond to Yushiro's patch set.....
18:45:10 <SridarK> SumitNaiksatam: nothing else i believe
18:45:21 <SumitNaiksatam> SridarK: okay
18:45:24 <SumitNaiksatam> vishwanathj: link?
18:45:46 <vishwanathj> https://review.openstack.org/#/c/147396/
18:46:01 <yushiro> vishwanathj, thank you!
18:46:13 <vishwanathj> for some reason, I am still able to reproduce the issue after I apply the patch
18:46:52 <vishwanathj> yushiro, you may need to upload another patchset as Jenkins as failed with error "Patch in merge conflict"
18:47:22 <SumitNaiksatam> vishwanathj: ah, yeah noticed your comment earlier, thanks for trying it out
18:47:50 <SumitNaiksatam> #topic Functional/Integration tests in the gate
18:48:03 <SumitNaiksatam> badveli: you said wanted to give this a shot?
18:48:13 <badveli> yes thanks for your pointers
18:48:33 <yushiro> vishwanathj, I see.  I will upload the patch. current my patch status is 'Merge Conflict'.  I don't know why..
18:48:39 <badveli> i went through the test that you had mentioned
18:48:45 <SumitNaiksatam> for the basic test i was proposing last week, i was thinking something along the lines of what this is doing: #link https://github.com/openstack/neutron/blob/master/neutron/tests/functional/agent/linux/test_iptables_firewall.py
18:49:06 <SumitNaiksatam> badveli: okay great
18:49:23 <SumitNaiksatam> badveli: you want to discuss here your findings?
18:50:09 <badveli> looks to me we can do some thing similar as you had mentioned set up firewall and  do some functional test like allow or deny case
18:50:22 <SridarK_> SumitNaiksatam: badveli: is this for Scenario tests ?
18:50:24 <badveli> sent some traffic and check
18:51:15 <SumitNaiksatam> SridarK_: this is for functional tests
18:51:29 <SridarK_> SumitNaiksatam: so API or beyond ?
18:51:38 <SumitNaiksatam> SridarK_: in the last week we discussed with pc_m as to how we can get some functional tests going
18:51:59 <SumitNaiksatam> with functional tests the idea is to not require the entire opesntack stack to be running
18:52:22 <SridarK_> SumitNaiksatam: ok got it - sorry - will catch up on logs
18:52:31 <yamahata> Do you have any idea on how to create packet?
18:52:33 <badveli> sridark to check the functionality of the firewall in affect
18:52:42 <SumitNaiksatam> but perhaps just exercise the fwaas code such that it triggers the configuration iptables rules
18:53:04 <SumitNaiksatam> yamahata: do we need to create a packet?
18:53:18 <SumitNaiksatam> yamahata: i was not thinking in terms of testing the datapath
18:53:30 <yamahata> it depends on what firewall rule to be tested.
18:53:31 <yamahata> Okay
18:53:33 <SumitNaiksatam> yamahata: but testing that the expected iptables rules are applied
18:53:43 <SridarK_> ok makes sense - we can actually just check the iptables to see if the rule manifests in iptables
18:53:51 <SumitNaiksatam> SridarK_: yeah
18:54:10 <SumitNaiksatam> since we can rely that iptables is independently tested for the data path
18:54:29 <SridarK_> SumitNaiksatam: yes and easier and more light weight makes total sense
18:54:37 <SumitNaiksatam> of course we need to ensure that we are validating against the right critieria (in terms of what we expect the rules to be applied)
18:54:51 <badveli> sumit in the tests that you had mentioned they check ping traffic
18:55:00 <SumitNaiksatam> badveli: ah okay
18:55:07 <SumitNaiksatam> so they do test the datapath
18:55:08 <badveli> they use some helper
18:55:28 <SumitNaiksatam> badveli: good to know
18:55:50 <SumitNaiksatam> pc_m: i guess any tests that we now land will go into liberty, right?
18:56:16 <pc_m> yeah
18:57:12 <SumitNaiksatam> badveli: let us know how your investigation goes
18:57:21 <badveli> thanks to pc_m for reorganizing the unit test case
18:57:27 <SumitNaiksatam> badveli: and once you have some plan around this, lets share with the rest of the team
18:57:41 <SumitNaiksatam> badveli: that way we can split the work and get more people involved
18:57:46 <badveli> yes, also one more question will the functional test fall in different path
18:57:49 <pc_m> Sure, np. I had to do VPN and had a script to help, so I used it on FW.
18:58:01 <SumitNaiksatam> yamahata: i believe you have some experience in this as well
18:58:16 <yamahata> Sure, willing to get involved/help
18:58:17 <SumitNaiksatam> yamahata: so please chime in with your suggestions
18:58:28 <SumitNaiksatam> yamahata: awesome!!
18:58:32 <badveli> yes sumit, i started looking at that test and will update
18:58:54 <SumitNaiksatam> badveli: great, thanks!
18:59:18 <SumitNaiksatam> badveli please keep yamahata in close loop, he has good experience with this
18:59:42 <yamahata> badveli: please Yalei too
18:59:43 <badveli> the functional tests will be under which a seperate directory structure
18:59:51 <SumitNaiksatam> badveli is also local (with reference to your location), so you can bug him ;-P
18:59:56 <badveli> ok, thanks yamahata
19:00:10 <badveli> ok, thanks yamahata and sumit
19:00:47 <SumitNaiksatam> badveli: we have made a start in terms of the directory structure #link https://github.com/openstack/neutron-fwaas/tree/master/neutron_fwaas/tests/functional
19:00:57 <badveli> sorry i saw we have a directory structure
19:01:06 <SumitNaiksatam> SridarK_: you mentioned that Nikolay was working on the tempest tests (scenario tests?)
19:01:07 <badveli> yes thanks sumit
19:01:21 <SumitNaiksatam> SridarK_: that will be a different effort from this
19:01:22 <SridarK_> SumitNaiksatam: yes he will be doing that
19:01:29 <SumitNaiksatam> just to make sure we are all on the same page
19:01:29 <SridarK_> SumitNaiksatam: got it
19:01:53 <SumitNaiksatam> SridarK_: and it would be good to track that effort here as well
19:02:02 <SumitNaiksatam> SridarK_: i believe this is a bad time fo Nikolay
19:02:21 <SumitNaiksatam> so may be you can proxy him (i believe pc_m is in close discussion with him as well)
19:02:22 <SridarK_> #link https://review.openstack.org/#/c/165859
19:02:36 <SridarK_> patch from him for insertion mode
19:02:41 <SumitNaiksatam> SridarK_: bam!! sweet!!
19:02:45 <SridarK_> but will probab go to L
19:02:59 <SridarK_> SumitNaiksatam: yes i will proxy for Nikolay
19:03:10 <SumitNaiksatam> seems like an ultra lite patch though ;-)
19:03:32 <SridarK_> SumitNaiksatam: yes wanted to get a patch out - but working with him to improve coverage
19:03:51 <SumitNaiksatam> looking at the most recent comment, i agree as well, perhaps need a separate test case
19:03:56 <pc_m> SumitNaiksatam: FYI, Nikolay is in Russia.
19:04:33 <SridarK_> SumitNaiksatam: yes and more work is needed
19:04:33 <SumitNaiksatam> pc_m: thanks, yes, good for everyone to know
19:05:15 <SumitNaiksatam> SridarK_: its great that Nikolay is on this, i dont mean to belittle the work in any way
19:05:21 <SumitNaiksatam> sorry if i sounded like that
19:05:39 <SridarK_> SumitNaiksatam: no totally understand did not take it that way at all just wanted to clarify
19:06:05 <SumitNaiksatam> its take a lot of time and effort to just get the environment setup to be able start writing and tests like these
19:06:15 <SumitNaiksatam> so its fantastic that he is at this point
19:06:32 <SumitNaiksatam> because if you get one test going, then i think its relatively easier to add more
19:06:38 <SridarK_> SumitNaiksatam: he is working with pc_m for vpnaas as well
19:06:59 <SumitNaiksatam> pc_m: on that, you mentioned there were some issues that other neutron cores had raised
19:07:16 <SumitNaiksatam> pc_m: has that been sorted out, and the feedback conveyed to Nikolay?
19:08:00 <pc_m> SumitNaiksatam: Yeah, main issue was that tests were using tempest repo imports. Nikolay has been working on doing the test w/o tempest.
19:08:11 <SumitNaiksatam> pc_m: ah okay
19:08:23 <pc_m> SumitNaiksatam: He just posting something today, but I haven't looked at it yet.
19:09:06 <pc_m> SumitNaiksatam: I mentioned to him that in Neutron they now have "fixtures" (see Fake* classes), and that maybe that would help as well
19:09:15 <SumitNaiksatam> pc_m: okay
19:09:34 <pc_m> SumitNaiksatam: I haven't looked into the Fixtures much, but seems like they have things for ports, routers, networks, etc.
19:10:08 <SumitNaiksatam> pc_m: okay, thanks for relaying that information
19:10:15 <pc_m> SumitNaiksatam: In short, there's a bunch to be done for the scenario test, but we've got time, as it'll land in Liberty.
19:10:26 <SumitNaiksatam> pc_m: true
19:11:04 <SumitNaiksatam> the first test will take time, after that it will be much easier to scale this out to more people
19:11:50 <SumitNaiksatam> anything more to discuss today on the topic of functional/integration tests?
19:12:20 <SumitNaiksatam> ok moving on
19:12:25 <SumitNaiksatam> #topic Open Discussion
19:12:55 <SumitNaiksatam> as regards the design summit
19:13:05 <SumitNaiksatam> #link https://etherpad.openstack.org/p/liberty-neutron-summit-topics
19:13:06 <vishwanathj> Do any of the vendor have to refactor their code as a result of https://review.openstack.org/#/c/169239/ getting merged?
19:14:02 <SumitNaiksatam> vishwanathj: i doubt it
19:14:10 <vishwanathj> looks like the Vyatta Firewall agent code might have to respin? I am investigating the impact and code changes
19:14:36 <vishwanathj> SumitNaiksatam, Ok
19:15:07 <SumitNaiksatam> vishwanathj: okay
19:15:09 <SridarK_> vishwanathj: i would have thought this should not have any impact
19:15:25 <SumitNaiksatam> there seems to be a comment in the etherpad: “The future of FWaaS: What do we do with it, how it relates to security groups, etc.”
19:15:41 <SumitNaiksatam> line item 43
19:16:45 <SridarK_> SumitNaiksatam: interesting :-)
19:16:53 <SumitNaiksatam> you can go through the time line and see who added that
19:17:00 <SumitNaiksatam> i am guessing its not someone from this team
19:17:10 <SumitNaiksatam> i cant tell clearly who it is
19:17:15 <SridarK_> SumitNaiksatam: should the answer be "Bright" :-)
19:17:21 <SridarK_> the future that is :-)
19:17:28 <SumitNaiksatam> SridarK_: :-)
19:17:42 <vishwanathj> SumitNaiksatam, SridarK_, vyattaFirewallAgent implements the method process_router() method, refer https://review.openstack.org/#/c/169239/....
19:18:24 <SumitNaiksatam> vishwanathj: okay
19:18:48 <SumitNaiksatam> so if you have any firewall related topics that you need to add, please add them to etherpad
19:19:10 <vishwanathj> wrong link, refer https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/agents/vyatta/fwaas_agent.py
19:19:36 <vishwanathj> the patchset https://review.openstack.org/#/c/163222/6/neutron/agent/l3/agent.py removes the call to process_router()
19:20:05 <SridarK_> vishwanathj: ok - i was getting really confused as that was a one line change
19:21:09 <vishwanathj> SridarK_, I need to investigate what the corresponding change should be ....was wondering if the other vendor codes had already looked into it and assessed the impacts....
19:21:35 <SridarK_> vishwanathj: we have our own agent so this should not impact us
19:21:43 <vishwanathj> looks like you guys may not be impacted and the Vyatta code might be....will approach you guys for guidance if needed
19:21:45 <SridarK_> but other vendors may have a similar situation
19:22:25 <vishwanathj> pc_m, was the VPN code impacted?
19:23:33 <pc_m> vishwanathj: I don't think so.
19:23:50 <vishwanathj> pc_m, Thanks
19:24:25 <pc_m> Tests pass, so it must work :)
19:24:31 <vishwanathj> :)
19:24:37 <SumitNaiksatam> pc_m: :-)
19:24:50 <SumitNaiksatam> okay anything else for today?
19:25:32 <badveli> viswanathj i am looking at the agent patch, will update if we need to change in the mean time let me know how are you handling the removed process_router
19:25:57 <vishwanathj> badveli, I need to investigate, will keep you posted on what I find out
19:26:16 <badveli> ok, thanks
19:26:19 <vishwanathj> became aware of this only this morning
19:26:46 <pc_m> vishwanathj: VPN just listens for the events, which happen in _process_added_router() and _process_updated_router().
19:27:06 <pc_m> vishwanathj: FW could do the same thing, and decouple from the agent, if desired.
19:27:56 <vishwanathj> pc_m, thanks, let me spend some time trying to grasp this...will probably ping you on IRC if I have questions
19:27:59 <badveli> thanks pc_m for the pointers
19:28:07 <pc_m> IOW, VPN "subscribes" for notifications of various events from agent, and then has handlers for those events. FW can do the same thing, if action needed on the events.
19:28:14 <pc_m> vishwanathj: sure
19:29:02 <SumitNaiksatam> pc_m: yes
19:29:22 <SumitNaiksatam> pc_m: thanks much for jumping in and fixing the UT failures
19:29:42 <SumitNaiksatam> pc_m: by the time i woke up and noticed that there was an issue, you had it fixed ;-)
19:29:46 <pc_m> Sure np. I did a fix for the check bash script thing too, but it'll have to wait for liberty
19:29:56 <SumitNaiksatam> pc_m: ok
19:30:02 <pc_m> yeah earlt bird gets the worm :)
19:30:12 <pc_m> early
19:30:39 <SumitNaiksatam> pc_m: :-)
19:30:44 <SumitNaiksatam> thanks eveyrone
19:30:47 <SumitNaiksatam> bye!
19:30:50 <pc_m> bye
19:30:52 <vishwanathj> bye
19:30:55 <yushiro> Bye bye
19:30:56 <yamahata> bye
19:30:57 <SumitNaiksatam> #endmeeting