#openstack-meeting-3 log

15:01:33 <pc_m> #startmeeting vpnaas
15:01:34 <openstack> Meeting started Tue Dec 16 15:01:33 2014 UTC and is due to finish in 60 minutes.  The chair is pc_m. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:38 <openstack> The meeting name has been set to 'vpnaas'
15:01:45 <pc_m> #chair pc_m
15:01:46 <openstack> Current chairs: pc_m
15:01:51 <pc_m> Hi folk!
15:02:12 <pc_m> #topic Announcements
15:02:31 <matrohon> hi pc_m : thanks for chairing
15:02:46 <pc_m> VPNaaS repo is now up and working, UT are active.
15:02:50 <pc_m> matrohon: Sure
15:03:06 <nati_ueno> yay!
15:03:07 <pc_m> #link https://review.openstack.org/#/c/141532/
15:03:19 <Swami> pc_m: when you say it is up and working, the legacy ipsec service is it fully functional
15:03:19 <mhanif> Great!
15:03:52 <pc_m> Swami: The unit tests are all activated and pass.
15:04:19 <pc_m> Swami: I'm still trying to get my test bed running to check connections.
15:04:32 <Swami> ok. I will try it out.
15:04:41 <matrohon> pc_m : is there already a wiki page with an agenda?
15:04:47 <matrohon> for this meeting?
15:04:50 <pc_m> Swami: please do. Thanks!
15:05:13 <pc_m> matrohon: Yes... #link https://wiki.openstack.org/wiki/Meetings/VPNaaS
15:05:58 <pc_m> I'm working on tweak to UTs #link https://review.openstack.org/#/c/141932, but grenade tests are currently broken.
15:06:56 <pc_m> For L3 refactoring, the VPN agent is being split out. The main commit for the refactoring in Neutron is #link https://review.openstack.org/#/c/136549/
15:07:20 <pc_m> And the VPN handlers are in #link https://review.openstack.org/#/c/140918/
15:07:56 <pc_m> The L3 agent refactoring is on-going, so there will be some changes to the handlers and notification points.
15:08:08 <pc_m> Plan is to try to reduce the number of handlers.
15:08:14 <Swami> pc_m: what is this event_observer
15:08:36 <pc_m> Swami: Sure.
15:08:55 <pc_m> To decouple the agents from L3, we did the following...
15:09:35 <pc_m> Created a service object, which is a "listener" for L3 events. This object has handler methods that will take service specific actions for events.
15:09:47 <SridharRamaswamy> Hi
15:10:12 <pc_m> The service object will "register" with the event observer, which is just a set of observers.
15:10:54 <pc_m> In the L3 agent, then, it will tell the event_observer to "notify" all listeners for the event that occurred.
15:11:07 <pc_m> SridharRamaswamy: hi
15:11:16 <Swami> pc_m: thanks for the explanation
15:11:18 <Swami> that helps.
15:11:28 <pc_m> Swami: your welcome.
15:11:38 <matrohon> will it be easy to register 3rd party service in the agent?
15:11:46 <Swami> It would be great if these things are captured in a wiki so that new developers can take advantage of the design.
15:12:14 <matrohon> Swami : +1
15:12:27 <vikram_> Swami: +1
15:13:25 <pc_m> Swami: Good idea. I can talk to carl, as there is a BP, but nothing more detailed.
15:13:50 <matrohon> pc_m : ^^
15:13:56 <pc_m> #action pc_m to talk to carl_baldwin about a Wiki for observer design.
15:14:08 <Swami> pc_m: at least on the advanced services side, we should hence forth start documenting the new changes that are happening.
15:14:48 <pc_m> matrohon: yes. So there is one service instance, so 3rd party can hook to same service.
15:15:20 <SridharRamaswamy> Swami: +1, perhaps in doc/source/devref
15:15:40 <pc_m> matrohon: As is today, the device driver is called in these handlers, and the 3rd party driver can take necessary actions.
15:15:53 <pc_m> Swami: good point
15:16:20 <matrohon> pc_m : by necessary action, you mean manipulate the qrouter accordingly
15:17:29 <pc_m> matrohon: It's the same as it is today. Today, L3 agent calls VPN agent method (e.g. _router_added) and the VPN agent tells device driver to do some action (e.g. sync)
15:18:13 <pc_m> matrohon: We're moving that VPN agent logic out of the agent (which is part of L3 agent) and into a new object (VPNService), so they are decoupled.
15:18:49 <pc_m> Take a look at https://review.openstack.org/#/c/140918/ to see how things were moved.
15:18:53 <matrohon> pc_m : thanks, this refactoring looks really nice
15:19:01 * pc_m hoping it is sort of clear
15:19:17 <pc_m> Any other Qs on L3 refactoring as it applies to VPN?
15:20:07 <pc_m> Other announcement was Edge VPN #link https://review.openstack.org/#/c/136929/
15:20:34 <pc_m> mhanif: Did you want to talk on that?
15:20:42 <mhanif> pc_m: Thanks.  Yes.
15:20:52 <pc_m> floor is yours
15:21:10 <mhanif> As some of you know, we been asked to incubate this outside of Neutron
15:21:21 <mhanif> So, would like to understand the logistics
15:21:39 <mhanif> Should this be at the stackforge now?
15:22:02 <mhanif> Do advanced services now follow similar model?
15:22:11 <mhanif> after the split?
15:22:15 <pc_m> mhanif: not yet.
15:22:59 <pc_m> mhanif: They are splitting out vendor plugins in Neutron, but nothing about splitting services or vendor drivers for services (at this time).
15:23:15 <mhanif> Ok.  Got it.
15:23:38 <pc_m> mhanif: Do you recall who asked? We can follow up wih them.
15:23:46 <pc_m> with
15:24:09 <pc_m> Or better yet can I assign you an action? :)
15:24:40 <mhanif> pc_m: It was Salvatore.  It was just a customary comment which was given to those who were given -2
15:25:05 <mhanif> It went like:
15:25:07 <mhanif> This spec was given a -2 by the drivers team because the work proposed is of limited community appeal or lack of community consensus. The drivers team suggests that an extension project within the community ecosystem is a viable way forward.
15:25:41 <matrohon> mhanif, salv-orlando : I don't understand this neither
15:26:15 <mhanif> Hmmm.  I see that L2gateway was given the same comment
15:26:21 <matrohon> does this means that we have to move forward on stackforge? incubator? advanced services?
15:26:43 <pc_m> matrohon: All good questions :)
15:26:49 <mhanif> Not sure.  I have asked him in a separate email but no response so far
15:27:24 <pc_m> mhanif: Would you like to take it as an action item to pursue this with the Driver's team?
15:27:37 <mhanif> pc_m: Sure, will do.
15:27:44 <pc_m> mhanif: thanks
15:27:50 <mhanif> pc_m: Thanks
15:28:10 <pc_m> #action mhanif to check with drivers team on where Edge VPN should be developed.
15:28:31 <pc_m> What about L2 gateway?
15:29:03 <mhanif> pc_m: It seems that they have put together a stackforge site to take it forward
15:29:20 <pc_m> mhanif: matrohon: Do either of you want to ask about that.
15:30:04 <mhanif> Sure.  I can pose the question during my interaction with the driver team
15:30:15 <pc_m> #action mhanif to ask about development location for L2 Gateway.
15:30:19 <pc_m> mhanif: Thanks!
15:30:30 <mhanif> pc_m: You are welcome
15:30:31 <matrohon> pc_m , mhanif : great thanks
15:30:36 <pc_m> I think that hits announcements (whew!)
15:30:46 <pc_m> #topic Bugs
15:31:07 <pc_m> I don't see anything other than some adv services split items.
15:31:20 <pc_m> If you have bugs, please rebase them to the new repo.
15:31:34 <Swami> pc_m: there is one bug with respect to VPN and DVR
15:31:47 <Swami> I had a patch for it in the neutron branch
15:31:52 <pc_m> Swami: Do you have link?
15:31:58 <Swami> yes
15:32:19 <Swami> #link https://review.openstack.org/#/c/127133/
15:32:41 <Swami> #link https://bugs.launchpad.net/neutron/+bug/1356467
15:33:03 <Swami> I need to refactor this patch based on the current L3 agent refactor.
15:33:14 <Swami> If it is ready I will refactor it and post it again.
15:33:16 <pc_m> Swami: Thanks. So looks like you can move it over to neutron-vpnass
15:33:38 <Swami> pc_m: Yes will do it this week
15:33:50 <pc_m> Swami: Thanks!
15:34:31 <pc_m> Anything else on bugs?
15:34:57 <pc_m> #topic Specs
15:35:24 <pc_m> Just FYI, there is a StrongSwan spec.  #link https://review.openstack.org/#/c/101457/
15:35:26 <salv-orlando> matrohon: regarding those -2s on "edge vpns" that's because the neutron driver team believes these activities can be developed off tree without any oversight from the core team. So just do it - don't ask for anbody's approval
15:36:21 <matrohon> salv-orlando : thanks; so stackforge is the best place to move forward?
15:36:38 <pc_m> salv-orlando: Thanks salv-orlando: By off-tree, do you mean stackforge?
15:37:31 <SridharRamaswamy> on that subject looks l2 gateway stackforge is  at #link https://github.com/stackforge/networking-l2gw
15:38:37 <pc_m> SridharRamaswamy: thanks for the link.
15:39:37 <matrohon> stackforge sounds the best place for all of us who implements Edge vpn integration with different API.
15:39:57 <matrohon> since no consensus seems to emerge
15:40:03 <pc_m> I guess it'll be good to understand the whole process for off-tree work and how to integrate it into Neutron/VPNaaS.
15:41:13 <pc_m> On the strongswan spec, they are giving an extension to work out the details.
15:41:42 <matrohon> I think l2-gw and GBP are good example of that
15:42:03 <pc_m> Question: Should openstack support both StrongSwan *and* OpenSwan, or should StrongSwan replace OpenSwan (over time)?
15:42:32 * pc_m wondering about the advantages of having both over the effort to support both.
15:42:53 <pc_m> nati_ueno: any thoughts on ^^
15:42:54 <nati_ueno> now RHEL supports StrongSwan, right?
15:43:06 <nati_ueno> if os, I'm +1 for replace it in future
15:43:09 <pc_m> I think that is the case.
15:43:15 <nati_ueno> however, we may have user for OpenSwan now
15:43:20 <Swami> pc_m: good question, I think we need to support "strongswan" in addition to what we have now.
15:43:21 <nati_ueno> so we need to have deplication frame
15:43:41 <pc_m> nati_ueno: Way back, was there some issue with StrongSwan (and hence the decision to go to OpenSwan)?
15:44:00 <nati_ueno> RHEL wasn't support StrongSwan at that time
15:44:14 <Swami> pc_m: I don't there was any issue with strongswan it was because of the redhat support we moved to Openswan.
15:44:18 <pc_m> I thought there was some tech issue on Ubuntu.
15:44:35 <pc_m> techical
15:44:41 <pc_m> technical
15:44:57 <pc_m> Swami: Great.
15:45:03 <Swami> pc_m: I don't recall any technical issue with strongswan.
15:45:05 <nati_ueno> I'm not aware of StrongSwan issue
15:45:22 <nati_ueno> I think StrongSwan is better according to usability of softwae
15:45:31 <nati_ueno> documentation, etc
15:45:35 <Swami> In fact strongswan has more new features then openswan
15:45:45 <nati_ueno> right
15:46:11 <pc_m> That's what I recall. I just vaguely remember some issue... namespaces or something.
15:46:17 <Swami> guys I need to drop off I will catch up with the logs.
15:46:21 <pc_m> Probably my fading memory.
15:46:25 <Swami> bye
15:46:26 <pc_m> :)
15:46:35 <pc_m> Swami: bye
15:46:38 <pc_m> #action Plan to support both StrongSwan and OpenSwan, with the latter deprecated over time (need to figure out when).
15:46:57 <pc_m> Anything else on this item?
15:47:26 <pc_m> #topic Open Discussion
15:47:58 <pc_m> Anyone have any items to discuss?
15:48:02 <matrohon> is there any news on openssl support?
15:48:19 <matrohon> nati_ueno : ^^
15:48:35 <nati_ueno> I'll check Barbican status
15:48:37 * pc_m gald you pointed to nachi as I'm clueless
15:49:04 <pc_m> #action nati_ueno to check Barbican status for openssl
15:49:24 <matrohon> I'm also happy to see that vpnaas is leveraged by heat mluti-region
15:49:45 <pc_m> matrohon: There was a commit for ssl-vpn, is there a blueprint for that?
15:50:02 <nati_ueno> https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support
15:50:04 <pc_m> matrohon: Nice ^^
15:50:07 <nati_ueno> Still not there
15:50:19 <matrohon> https://wiki.openstack.org/wiki/Heat/Blueprints/Multi_Region_Support_for_Heat#Goal
15:51:04 <pc_m> Thanks for the links guys!
15:51:34 <pc_m> Anything else?
15:51:55 <pc_m> Thanks for joining in everyone!
15:52:14 <pc_m> #endmeeting