00:00:11 <sc68cal> #startmeeting networking_fwaas
00:00:11 <openstack> Meeting started Thu Sep  3 00:00:11 2015 UTC and is due to finish in 60 minutes.  The chair is sc68cal. Information about MeetBot at http://wiki.debian.org/MeetBot.
00:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
00:00:15 <openstack> The meeting name has been set to 'networking_fwaas'
00:00:16 <sc68cal> #chair SridarK
00:00:17 <openstack> Current chairs: SridarK sc68cal
00:00:25 <annp> Hi
00:00:31 <xgerman> o/
00:00:38 * sc68cal has been sick this week - so will be leaning on SridarK and xgerman a bit tonight
00:00:49 <xgerman> :-)
00:00:50 <SridarK> sc68cal: hope u feel better - no worries
00:00:51 <sc68cal> #chair xgerman
00:00:51 <openstack> Current chairs: SridarK sc68cal xgerman
00:00:54 <bharathm> \o
00:01:01 <badveli> hello all
00:01:03 <xgerman> yeah, hope so
00:01:18 <sc68cal> just a cold, so been working from bed / couch
00:01:43 <sc68cal> #link Agenda https://wiki.openstack.org/wiki/Meetings/FWaaS
00:02:34 <sc68cal> #topic action items from last meeting
00:02:37 <SridarK> sc68cal: i did some scrubbing there is still some old stuff that i will clean out as well
00:02:52 <sc68cal> SridarK: cool. thanks :)
00:02:58 <xgerman> +1
00:03:01 <mickeys> Hi. Did not realize the channel changed
00:03:14 <xgerman> we try to keep you on your toes
00:03:15 <sc68cal> mickeys: we conflicted with the API WG I think, so I had to change the location
00:03:50 <sc68cal> Action items from last week were for cores to just triage bugs
00:04:13 <sc68cal> and speaking of which
00:04:16 <sc68cal> #topic bugs
00:04:24 <SridarK> sc68cal: yes quick run thru - nothing major to report there
00:04:35 <madhu_ak> hi
00:05:20 <sc68cal> I see Lin opened https://bugs.launchpad.net/horizon/+bug/1491637
00:05:21 <openstack> Launchpad bug 1491637 in OpenStack Dashboard (Horizon) "Error when adding a new Firewall Rule" [Undecided,New]
00:05:48 <SridarK> yes as reported earlier today -
00:06:27 <sc68cal> bharathm: I think we need a bug to track your issue from the ML around router_info and updates
00:07:06 <bharathm> sc68cal: it's not me. I work with German for HP. Whereas that Bharath is from Brocade :-)
00:07:31 <sc68cal> bharathm: ah, sorry
00:07:36 <xgerman> yeah, even I occasionally make that mistake
00:08:18 <bharathm> However that error needs to be addressed. xgerman requested him to create a launchpad bug to follow up
00:08:42 <xgerman> yep
00:08:57 <SridarK> Hmm it seems this is just seen according to his email
00:09:33 <sc68cal> we should see if we have a tempest scenario somewhere that covers the scenario he describes
00:09:54 <sc68cal> if I read correctly, it's the case of not getting updates
00:10:05 <SridarK> if it is just adding a new fw rule, i did that on the CLI some time ago and it was fine
00:11:17 <jwarendt_> Isn't this a horizon issue - not server side- and wasn't horizon was working a few days ago?
00:11:36 <SridarK> yes it seems only horizon
00:11:45 <xgerman> yep
00:11:45 <SridarK> not sure sure if anything changed there
00:12:30 <bharathm> I think it's two different bugs he's referring to in two separate emails
00:12:38 <SridarK> and he seems to imply it is very recent regression
00:13:41 <jwarendt_> bharathm - can you clarify with bug numbers?
00:14:02 <SridarK> Vish, who is not on today - is familiar with Horizon side of FWaaS - i will reach out to him as well
00:14:41 <sc68cal> jwarendt_: heh - bharathm != bharath
00:14:50 <bharathm> jwarendt_ : https://bugs.launchpad.net/horizon/+bug/1491637 is the horizon bug
00:14:52 <openstack> Launchpad bug 1491637 in OpenStack Dashboard (Horizon) "Error when adding a new Firewall Rule" [Undecided,New]
00:15:13 <bharathm> But there was another email dated Aug 30 with the same subject where he had issue with the router info update
00:15:18 <bharathm> I dont think a bug was filed for that
00:15:34 <sc68cal> yeah he likes that subject line .... :)
00:15:43 <jwarendt_> Sry, and thanks for the clarification.
00:16:10 <sc68cal> jwarendt_: no worries - I did it like 5 mins ago :)
00:17:01 <xgerman> and me like two hours ago :-)
00:17:15 <bharathm> sc68cal: Actually I am facing a similar issue in my devstack setup.. When new routers/fips' are created after the FW create, these new namespaces are not getting updated automatically
00:17:38 <xgerman> yeah, we need to (re=add) the rioters to force an update
00:17:56 <xgerman> wonder when this Neutron event bus comes out...
00:18:06 <sc68cal> xgerman: bharathm - that's .... not good.
00:18:19 <SridarK> sc68cal: hmm
00:18:26 <bharathm> xgerman and I found a work around to use "neutron firewall_update {name} --router {router_id} --router {router_id2}"
00:18:32 <badveli> sridark i think we tahught about this
00:18:33 <SridarK> now u have to explicitly bind a router to a FW
00:18:53 <xgerman> well, worse is the same happens with floating ip
00:19:08 <xgerman> I am ok with routers not being updated after all we don’t list them in fiorewall-show
00:19:14 <SridarK> xgerman: ok that is something else :-) i am not claiming responsibility
00:19:19 <bharathm> SridarK: it happens with fip too though the fip belongs to the existing router with fw rules configured
00:19:24 <badveli> but i do not think we will have the issue
00:19:26 <SridarK> xgerman: we do show the routers
00:19:40 <badveli> we should not have the issue
00:19:51 <xgerman> yep, so I am ok with the routers not being updates/added automatically but fips bother me
00:20:07 <xgerman> since we don’t show a user which fits we cover
00:20:11 <SridarK> bharathm: if we have new router and there is an existing FW, then u need to update the FW if u want it on the new router
00:20:13 <xgerman> fips
00:20:28 <SridarK> the old model we installed the FW on all routers in the tenant
00:20:29 <xgerman> SridarK correct
00:20:41 <SridarK> something we wanted to move away from and we did with Kilo
00:20:44 <bharathm> SridarK: I agree. But what about creating a FIP after the FW is applied
00:21:13 <SridarK> Hmm that we need to see
00:21:35 <bharathm> As I do not see any event trigger from L3 Agent or new_namespace_check at set intervals, new FIP namespaces are completely ignored
00:21:50 <xgerman> +1
00:22:09 <sc68cal> so basically traffic inbound to a FIP doesn't get filtered via the firwall
00:22:10 <sc68cal> ?
00:22:13 <SridarK> bharathm: there is supposed to be an event triggered - that we listen too
00:22:20 <bharathm> sc68cal: correct
00:22:23 <xgerman> yep, and that event is not happening
00:22:34 <SridarK> hmm ok need some debugging on that
00:22:48 <sc68cal> Ok - let's get a bug opened for that one so we can start tracking
00:22:50 <SridarK> bharathm: is there a bug on this already ?
00:22:55 <SridarK> sc68cal: +1
00:22:59 <xgerman> +1
00:23:15 <bharathm> SridarK: Oh. May be I didn't dive deep enough to find that event triggering source code
00:23:20 <badveli> sridark the l3agent observer
00:23:33 <badveli> part should be done correct?
00:23:36 <SridarK> bharathm: yes i believe we tested that
00:23:45 <bharathm> sc68cal: I shall create the bug
00:23:49 <xgerman> thanks
00:23:52 <SridarK> badveli: we have not yet moved to the observer model
00:24:04 <SridarK> but the code should get triggered from L3Agent
00:24:07 <sc68cal> bharathm: excellent. Thanks.
00:24:37 <badveli> yes we thaught this case should be covered
00:24:37 <SridarK> bharathm: cool thx - shoot me an email too and we do a quick run thru this and try to narrow down
00:24:47 <xgerman> awesome!!
00:24:55 <bharathm> SridarK: that's great. Will do that
00:25:02 <SridarK> badveli: yes that was my thought too at least when this was done in Juno
00:25:21 <badveli> yes sridark we even discussed this
00:25:32 <badveli> with dvr team and i am suprised
00:25:39 <SridarK> there me and my big mouth saying nothing major on bugs :-)
00:25:51 <bharathm> Heh
00:26:10 <xgerman> well, there is a workaround: just re-add the router
00:26:29 <badveli> xgerman this is not we intended and i was under the impression of the new observer model
00:26:52 <bharathm> badveli: is there a spec I could refer to about this observer model ?
00:27:03 <sc68cal> SridarK: :)
00:27:05 <SridarK> xgerman: ok i recall going thru this scenario before we added a trigger in another place in L3Agent
00:27:27 <badveli> bharathm i do not have a spec
00:27:27 <SridarK> ok something clearly is broken - need some debugging
00:27:33 <badveli> but i will try to send some info
00:27:43 <bharathm> badveli: cool. Thanks
00:27:53 <xgerman> ok, let’s move on — sc68cal other things we need to hit?
00:28:17 <sc68cal> xgerman: I think the only thing at this point is the observation that our test coverage needs improvement
00:28:25 <SridarK> sc68cal: +1
00:28:30 <xgerman> +!
00:28:33 <xgerman> +1
00:28:33 <sc68cal> and we need more tempest scenario tests for common fwaas opeartions
00:28:37 <bharathm> +1
00:28:57 <badveli> sc68cal: initially we were trying to add functional tests
00:29:02 <SridarK> sc68cal: this should be our step 0 in the roadmap
00:29:05 <badveli> and then move on to scenario tests
00:29:09 <sc68cal> we should have had a tempest scenario for - create firewall+policy+rules, then start adding FIPs and deleting and other types of common things
00:29:15 <SridarK> badveli: yes u were trying to feet some traction here
00:29:24 <badveli> yes sridark
00:29:26 <madhu_ak> I think we need to move tests from neutron to fwaas repo?
00:29:50 <xgerman> yep, that is step -1
00:29:54 <badveli> madhu_ak currently the unit tests are under fwaas
00:29:57 <SridarK> xgerman: :-)
00:30:20 <badveli> and we are adding functional tests and scenario tests in fwaas
00:30:27 <madhu_ak> ok sounds good
00:30:38 <xgerman> but there are some tests still in tempest tree we should move over
00:30:45 <xgerman> or neutron tree
00:30:54 <madhu_ak> yep, its in neutron tree
00:30:58 <badveli> yes we will do
00:31:15 <xgerman> cool — once the dust settle we (=HP) can help
00:31:22 <madhu_ak> +1
00:31:23 <sc68cal> does someone want to do a spike on that and report back next week?
00:31:26 <badveli> i followed up with pcm regarding the functional tests
00:31:33 <badveli> and then scenario tests
00:31:47 * sc68cal hopes for a volunteer
00:32:47 <sc68cal> ok, no volunteers? I'll take the action item then
00:33:10 <badveli> is there a dead line i can help but very limited time
00:33:18 <SridarK> sc68cal: pcm has done a lot of this for vpn
00:33:45 <sc68cal> it's basically go look and see what is the status and report back, not looking to solve next week
00:33:50 <SridarK> badveli: may be u can provide a dump of ur discussions with pcm to sc68cal - if u have time that is
00:34:38 <badveli> yes pcm had written it
00:35:08 <badveli> how in wiki
00:35:11 <sc68cal> #action sc68cal coordinate with badveli and others about scenario and functional tests
00:35:19 <SridarK> ok that can save some work for sc68cal
00:35:37 <badveli> ok, thanks
00:36:05 <sc68cal> I think since we're in l-3 that we can skip blueprints
00:36:20 <SridarK> sc68cal: +1 no action there for now
00:36:32 <sc68cal> so I think we can go to open discussion
00:36:58 <sc68cal> #topic open discussion
00:37:38 <xgerman> now with the new time where are our friends from APJ?
00:37:53 <SridarK> xgerman: good question :-)
00:38:20 <SridarK> xgerman: first week must be a teething issue on timing
00:39:06 <xgerman> probably — sc68cal maybe we need to send another advertisement on the ML
00:39:50 <sc68cal> xgerman: odd since hoangcx was on the last APAC meting
00:40:04 <xgerman> yep...
00:42:24 <sc68cal> If there are no objections, we'll wrap up for today and give everyone back 20 mins
00:42:32 <xgerman> sounds good
00:42:36 <jwarendt_> +1
00:42:43 <SridarK> +1
00:42:47 <bharathm> +1
00:42:50 <badveli> fine with me
00:42:52 <sc68cal> ok everyone, until next week - 18:30 UTC
00:42:55 <badveli> bye
00:42:57 <SridarK> sounds good
00:42:58 <sc68cal> #endmeeting