00:01:30 <SridarK> #startmeeting Networking FWaaS
00:01:31 <openstack> Meeting started Thu Sep 17 00:01:30 2015 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
00:01:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
00:01:35 <openstack> The meeting name has been set to 'networking_fwaas'
00:01:43 <SridarK> #chair xgerman
00:01:44 <openstack> Current chairs: SridarK xgerman
00:02:08 <SridarK> quick one today
00:02:22 <SridarK> #topic Bugs
00:02:40 <SridarK> #link https://bugs.launchpad.net/neutron/+bug/1496244
00:02:41 <openstack> Launchpad bug 1496244 in neutron "rule change via GUI/CLI puts FW in ERROR mode" [Undecided,New]
00:03:06 <SridarK> this is new, looks to be on Kilo similar to the rule update issue fixed earlier
00:03:35 <SridarK> i will take a look at this to see if this is indeed the earlier issue
00:03:55 <SridarK> #link https://bugs.launchpad.net/neutron/+bug/1496239
00:03:56 <openstack> Launchpad bug 1496239 in neutron "neutron-fwaas check_migartion fails" [High,In progress] - Assigned to Akihiro Motoki (amotoki)
00:04:03 <badveli_> hello all
00:04:06 <SridarK> This is in review
00:04:16 <badveli_> sorry logged in other channel
00:04:29 <SridarK> badveli_: no worries, hi
00:04:36 <badveli_> hello sridark
00:04:48 <SridarK> #link https://bugs.launchpad.net/bugs/1492142
00:04:48 <openstack> Launchpad bug 1492142 in neutron "FWaaS: FIP namespace created after/before Firewall creation doesn't contain FW rules" [Undecided,Confirmed] - Assigned to Sridar Kandaswamy (skandasw)
00:05:11 <SridarK> this is on me, have been tied up - will debug this and sync with bharathm
00:05:24 <jwarendt> +1
00:05:25 <SridarK> we can then decide on prioritizing
00:05:53 <SridarK> #link https://bugs.launchpad.net/horizon/+bug/1491637
00:05:54 <openstack> Launchpad bug 1491637 in OpenStack Dashboard (Horizon) "Error when adding a new Firewall Rule" [Undecided,Confirmed] - Assigned to Rob Cresswell (robcresswell)
00:06:15 <SridarK> i confirmed this and also sent out a reminder to Rob
00:06:59 <SridarK> I will follow up with him to see that this is addressed in Horizon as this is a major issue for us
00:07:17 <SridarK> #link https://bugs.launchpad.net/neutron/+bug/1487599
00:07:19 <openstack> Launchpad bug 1487599 in neutron "fwaas - ip_version and IP address conflicts are not raised" [Undecided,In progress] - Assigned to Sean M. Collins (scollins)
00:07:28 <SridarK> This is in progress
00:07:54 <SridarK> Those were some of the bugs i mined
00:08:04 <SridarK> others pls add anything i have missed
00:09:25 <SridarK> ok if nothing else we can move on
00:09:34 <badveli_> nothing much
00:09:47 <SridarK> thanks badveli_
00:09:52 <SridarK> #topic Roadmap
00:10:46 <badveli_> https://bugs.launchpad.net/neutron/+bug/1496244
00:10:47 <openstack> Launchpad bug 1496244 in neutron "rule change via GUI/CLI puts FW in ERROR mode" [Undecided,New]
00:11:04 <badveli_> sorry sridar this one is similar to what we discussed before
00:11:05 <SridarK> badveli_: we discussed that already
00:11:12 <xgerman> so it’s dupe?
00:11:14 <SridarK> just b4 u joined
00:11:17 <xgerman> (sorry for being late)
00:11:18 <badveli_> yes looks like
00:11:20 <SridarK> will need to eval
00:11:26 <SridarK> it does seem so
00:11:29 <SridarK> it is on Kilo
00:11:30 <badveli_> ok, thanks
00:11:45 <SridarK> i believe the fix was put into Kilo as well
00:11:55 <SridarK> just need to verify the version
00:12:01 <xgerman> so regression error>
00:12:20 <SridarK> xgerman: yes most likely
00:13:21 <SridarK> mickeys: Swami said that he will ping us on the next trip into the Bay area - so u can get some whiteboard time with him to run thru the DVR interaction
00:13:36 <mickeys> Sounds good. Do you know when he will be here?
00:13:51 <SridarK> mickeys: no, i will send out a reminder to him
00:15:52 <SridarK> The other action on all of us is to converge towards some priorities for M
00:16:05 <xgerman> we are on the hook for the API redesign
00:16:14 <SridarK> xgerman: +1
00:16:17 <mickeys> +1
00:16:22 <jwarendt> +1
00:17:19 <xgerman> #link https://wiki.openstack.org/wiki/ReleaseNotes/Liberty#Deprecated_Features
00:18:13 <SridarK> xgerman: talk abt being in the spotlight :-)
00:18:27 <badveli_> current API will be removed?
00:18:29 <hoangcx> xgerman: Thanks for point it out
00:18:30 <mickeys> xgerman: Can you provide any clarification on "removed" wrt backwards compatibility?
00:19:04 <xgerman> technically because API was experimental it can be removed in one cycle
00:19:22 <xgerman> but we all have customers using it so it’s up to his to figure out something more gracious
00:19:32 <xgerman> his=us
00:19:51 <madhu_ak> hi, sorry to be late
00:20:11 <badveli_> xgerman: would it be better to add API's
00:20:11 <bharathm> SridarK - sorry got caught up with other work. Lets sync up on the bug whenever you are free
00:20:36 <badveli_> xgerman: current modelling is fine
00:20:36 <SridarK> xgerman: hmm - but it can still stay experimental while we figure out the plan forward ?
00:20:49 <SridarK> bharathm: yes same problem here too - will ping u
00:21:03 <bharathm> Sure..
00:21:07 <xgerman> well, the Neutron leadership wants to lay the groundwork for a complete reboot
00:23:37 <SridarK> xgerman: ok while this opens up more possibilities, the question of backwards compat can still be kept on the table based on feedback
00:23:57 <badveli_> sridark:+1
00:24:21 <xgerman> +1 as I said backwards compatibility is important for us and our customers
00:24:39 <xgerman> the community is often too cavalier when it comes to that
00:25:09 <SridarK> xgerman: understood and agree
00:25:09 <xgerman> but it could just be that we have migration tools
00:28:00 <SridarK> once we get some clarity on the dvr interaction - that will help our thought process on the API as well
00:28:35 <mickeys> SridarK: I was hoping for that, but Carl seemed to want it the other way around. First some clarity on API, then resolve DVR interactions.
00:29:08 <xgerman> well, we need to do the API in any case so I am ok to start there
00:29:21 <SridarK> mickeys: hmm ok, should we come up with a strawman and see what dvr can support
00:29:26 <badveli_> Sridark: since we previously had discussion with DVR team
00:29:27 <mickeys> +1
00:30:18 <SridarK> mickeys: we can use ur etherpad to flush things out
00:30:18 <badveli_> we have some context, so we can think about the API
00:30:56 <SridarK> badveli_: yes, if folks agree we can add content into the etherpad
00:31:41 <mickeys> badveli_: The previous discussions with the DVR team, along with the current discussions with Swami, are all along the lines of making FWaaS work with DVR for east/west as well as north/south. If that is not accepted, then the other solutions change the scope of FWaaS, which impacts the API discussion in a big way.
00:32:45 <SridarK> mickeys: +1, i was hoping like u that we can look for feasibility w.r.t to dvr first
00:33:30 <mickeys> SridarK: It looks like the DVR discussion will take some time and get rather complex. I suspect that we can work out a strawman before Tokyo, but whether the L3 team will accept that strawman might not be clear until Tokyo.
00:34:54 <SridarK> mickeys: yes i agree, we should use the face to face time at Tokyo to drill down on the details
00:35:01 <xgerman> +1
00:35:34 <SridarK> but a bit of "cart and horse" - i guess the perspectives are different for each team
00:36:31 <mickeys> We have to try and progress both as best we can before Tokyo. It is not that we expect resolution before Tokyo, but we need to be pretty far along beforehand, if we want to resolve things in Tokyo.
00:36:47 <SridarK> So at least at a high level - we want to be able to be an Edge Firewall and also Firewall VM - VM in a network (the SG angle)
00:36:58 <mickeys> SridarK: +1
00:37:07 <SridarK> mickeys: agree totally or one more cycle will go by
00:37:42 <jwarendt> +1
00:38:05 <SridarK> Ok so if all of us are on the same page, we can start with that as the highest level and rather generic requirement
00:38:19 <bharathm> SridarK: +1
00:38:32 <xgerman> yeah, sounds like a plan
00:38:51 <badveli_> sridark: fine  we are taking up the cases but did it change very much
00:38:52 <xgerman> and gets us closer to the goal of a shared backend between SG and FWaaS
00:39:07 <badveli_> w.r.t DVR
00:40:11 <badveli_> we had several proposals for east-west traffic
00:40:17 <badveli_> which was the only thing i assume was missing
00:40:21 <SridarK> badveli_: not really, we just need to get to an API that will also work beyond the edge case that we have today
00:41:16 <xgerman> yeah, the API only needs one reference implementation
00:41:28 <xgerman> we can add multiple solutions over time if we want
00:41:47 <xgerman> and the have the user/operator pick what’s best for their sistuation
00:42:15 <hoangcx> xgerman: +1
00:42:33 <SridarK> xgerman: +1
00:42:51 <mickeys> xgerman:+1
00:43:34 <mickeys> For the Design Summit, I wonder if we can get separate sessions for FWaaS with DVR and the API discussion. For FWaaS with DVR, we need L3 people in the room with us. For the API, we need those interested in SG in the room.
00:44:36 <xgerman> now in Vancouver our design session “got derailed” by people complaining about what they don’t like about FWaaS
00:45:05 <xgerman> (in addition to being packed)
00:45:10 <mickeys> xgerman: We definitely need a strawman ready to focus the discussion and avoid that outcome
00:45:22 <SridarK> xgerman: mickeys: even if it is not an official session - we can get the right folks in a room for a constructive discussion
00:46:00 <xgerman> so what I am saying is that official design sessions != constructive discussions
00:46:07 <SridarK> :-)
00:48:05 <SridarK> ok this is good i think atleast all of us are on the same page :-)
00:48:11 <xgerman> so when are people coming to Tokyo? I will be there Sunday night so we can meet early and hammer stuff out
00:48:34 <ajmiller> Sunday night
00:48:35 <SridarK> xgerman: i get on on Sun eve or so
00:48:58 <hoangcx> Yes. I will be there Sunday too.
00:49:01 <mickeys> Still waiting for approval. Assuming I go, I can arrange to be there on Sunday night.
00:49:25 <xgerman> great!! I think they start Tuesday so we have Monday to hammer stuff out ;-)
00:49:43 <SridarK> xgerman: yes we do have Mon
00:50:09 <xgerman> hopefully there will be some time for sight seeing ;-)
00:50:35 <SridarK> lets use mickeys etherpad:  #link https://etherpad.openstack.org/p/FWaaS_with_DVR meanwhile to add and discuss
00:50:42 <xgerman> +1
00:50:56 <mickeys> I thought we would use xgerman's API evolution etherpad for the API discussion
00:51:06 <mickeys> Sorry, sc68cal's API evolution
00:51:14 <xgerman> yeah sc68cal --
00:51:33 <SridarK> mickeys: oh ok - forgot abt that - yes makes more sense
00:51:57 <xgerman> we need to come up with some api spec
00:52:08 <mickeys> xgerman: +1
00:52:27 <hoangcx> mickeys: Can you point the API evolution etherpad out?
00:52:42 <xgerman> sc68cal thing is on trello
00:52:47 <SridarK> ok perfect lets evolve the spec from this ether pad
00:52:57 <mickeys> #link https://etherpad.openstack.org/p/fwaas-api-evolution-spec
00:53:29 <hoangcx> mickeys: Thanks :-)
00:53:40 * xgerman was just looking up that link
00:54:27 <xgerman> 6 minutes left… so...
00:54:28 <mickeys> Use cases, input to the discussion, are at
00:54:30 <mickeys> #link https://trello.com/b/TIWf4dBJ/fwaas-usecase-categorization
00:55:07 <xgerman> +1
00:55:07 <SridarK> ok that was a good healthy discussion and we have our first priority to flush out a strawman
00:56:32 <SridarK_> Anything else we are nearing the end
00:57:04 <SridarK_> xgerman: i got bounced out and back in can u pls take us to the end :-)
00:57:41 <reedip> Is there a scope of introducing Application based firewall rules in openstack?
00:57:43 <xgerman> hsure
00:58:01 <xgerman> reedip we would love to
00:58:07 <xgerman> look at the troll board
00:58:12 <SridarK_> reedip: this was on the cards yes - but lower priority
00:58:13 <xgerman> trello
00:58:38 <reedip> xgerman,sridark_ : Oh ok .. I  will
00:58:45 <mickeys> We are also interested, but given how much work is in front of us, I think we should put in the service group / service object redirection first. Then we can add application level stuff inside service object later.
00:59:19 <xgerman> well, one minute
00:59:47 <badveli_> mickeys: we are putting it in first phase of mitaka
01:00:01 <xgerman> #endmeeting