Wednesday, 2017-08-02

« Tuesday, 2017-08-01 Index Thursday, 2017-08-03 »
*** SridarK has quit IRC00:10
*** yamamoto has quit IRC02:24
*** yamamoto has joined #openstack-fwaas02:30
*** https_GK1wmSU has joined #openstack-fwaas02:31
*** https_GK1wmSU has left #openstack-fwaas02:34
*** yamamoto has quit IRC02:35
*** yamamoto has joined #openstack-fwaas02:36
*** yamamoto has quit IRC02:41
*** yamamoto has joined #openstack-fwaas02:45
*** chandanc has joined #openstack-fwaas02:46
*** yamamoto has quit IRC03:33
*** yushiro has joined #openstack-fwaas03:47
yushirochandanc, hi.03:48
*** yamamoto has joined #openstack-fwaas03:49
reedipyushiro : hi03:53
yushiroreedip, hi03:53
reedipsorry my PC crashed last night so I didnt get to see the end of the meeting03:53
reedipyushiro : do we need to continue on https://review.openstack.org/#/c/486377/ ?03:53
yushirooh, I understood.  That's why you suddenly logged out..03:53
reedipI merged the changes in https://review.openstack.org/#/c/488438/203:54
yushiroOK, If you merged my patch to your one, I'll abandoned it.03:54
yushirono need to keep opening.03:55
reedipyushiro : I merged my patch into yours !03:55
reedipDONT ABANDON YOUR PATCH :D03:55
yushiroOK.03:55
yushiroahaw03:55
yushiroaha03:55
yushiroI see.  Thanks for your work :)03:55
reedipanyways .. I think the V1 code needs to be updated for 161468003:55
yushiroI'll check it later. ( I just arrived at my office)03:55
reedipas we discussed yesterday03:56
yushiroOK.03:56
yushiroI'll fix both v1 and v203:56
reedipok .. give me some time, I also found some information about the multiple firewall policy association with the rules.. will push a patch on it today03:56
yushiroI wanted to discuss about it yesterday but my turn(l2-agent) took so long and I couldn't discuss.03:57
yushirosorry03:57
reedipsent you the chat logs, which I saved long back04:01
*** yamamoto has quit IRC04:05
yushirothanks, just got04:05
yushirohmm, we discussed that 'firewall_policies' attribute should be inserted into 'firewall_rule'04:07
yushiroI just concerned about Sridar could see this conversation or not :)04:07
yushiroAnyway, I think it's OK to implement.04:08
*** yamamoto has joined #openstack-fwaas04:10
*** yamamoto has quit IRC04:50
openstackgerritReedip proposed openstack/neutron-fwaas master: [WIP]Add firewall_policy_id in FWaaS v2  https://review.openstack.org/37073105:05
reedipyushiro : updated patch  ^^05:05
*** vks1 has joined #openstack-fwaas05:06
*** vks1 has quit IRC05:06
*** yamamoto has joined #openstack-fwaas05:07
*** vks1 has joined #openstack-fwaas05:09
*** SridarK has joined #openstack-fwaas05:14
yushiroreedip, thanks.05:14
yushiroreedip, but please wait....05:14
yushiroSridarK, hi05:17
SridarKyushiro: hi05:20
yushiroSridarK, Good afternoon.  I realized that v2 cannot check 'position' of firewall-rule.  Is 'position' hidden parameter for user?05:24
SridarKyushiro: hmm let me see05:25
yushiroIn v1, firewall_rule : firewall_policy  is 1 by 1 relation.  As a result, 'position' can check in firewall_rule dict after associated with firewall_policy05:26
yushiroNow, we are discussing about a relation between firewall_policy and firewall_rule for v205:28
SridarKyushiro: yes, the firewall_policy_rule_associations_v2 table tracks the position of rule for a particular policy05:29
SridarKwith v1 was simple we tracked the policy id and position as part of the rule db row05:29
yushiroYes05:30
yushiroSo, in v2, firewall_rule can associate multiple policies, right?05:31
SridarKyushiro: yes exactly05:32
yushiroIf so, firewall_rule must have an attribute named 'firewall_policies' which is a list of dict as follows:05:32
SridarKyes that area with the show commands is broken05:33
yushiro[{'firweall_policy_id': <firewall-policy-id>, 'position': <position_num>},  {...}]05:33
SridarKyes - i think we only break the show cmd of a rule05:33
SridarKit is a lower priority - i think if we can get our other things lined up we can get this in05:34
yushiroOK, now reedip is try to fix it: https://review.openstack.org/37073105:34
SridarKyes05:34
yushiroI'll comment his patch about our discussion result.  Thank you.05:34
yushiroSridarK, agree this is lower priority05:34
yushiroI'd like to specify a decision for implementation :)05:35
SridarKhow is the L2 agent stuff coming along05:35
yushirohmm, I ping to chandanc but no response..05:36
SridarKlets evaluate over the next 2 days05:36
SridarKand decide05:36
yushiroyes05:36
SridarKI am hoping we can get the Horizon changes in05:36
yushiroYes, sure.05:36
SridarKIf u see SarathMekala come online in a few hours can u remind him to prepare for FFE05:37
yushiroSridarK, of course.05:37
SridarKi think we can land this05:37
SridarKi think he put together an etherpad for setup - i would like to test more as he churns the patches05:38
yushiroyeah05:38
yushiroNow, I'm rebuilding my devstack env with horizon patch05:39
SridarKso we can be confident - IMHO - that will improve user experience and encourage more folks to try05:39
SridarKyushiro: o05:39
SridarK*ok05:39
yushiroYes, I'd like to comment more on horizon patch from a user point of view.05:40
SridarKyushiro: +105:40
*** vks1 has quit IRC05:53
*** vks1 has joined #openstack-fwaas06:03
*** SridarK has quit IRC06:08
reedipJust caught up with the logs06:11
openstackgerritYushiro FURUKAWA proposed openstack/neutron-fwaas master: FWaaS v2 extension for L2 agent  https://review.openstack.org/32397106:21
openstackgerritYushiro FURUKAWA proposed openstack/neutron-fwaas master: Generate default firewall group via project  https://review.openstack.org/42576906:21
openstackgerritYushiro FURUKAWA proposed openstack/neutron-fwaas master: OVS based l2 Firewall driver for FWaaS v2  https://review.openstack.org/44725106:21
openstackgerritReedip proposed openstack/neutron-fwaas master: [WIP]Add firewall_policy_id in FWaaS v2  https://review.openstack.org/37073106:23
yushirochandanc, If you have time, could you check https://etherpad.openstack.org/p/fwaas-v2-l2-agent  in OF rule difference section?06:32
yushiroI pasted 'ovs-ofctl dump-flows br-int' before/after VM create/delete06:33
reedipyushiro : I have a very simple question. but not able to solve it07:05
reedipI have 2 VMs : VM - A on Ubuntu Host A07:05
reedipVM- B on Ubuntu Host B07:05
reedipboth hosts have a different IP address07:06
reedipI want VM-A to ping VM-B without VxLAN07:06
yushiroyup07:06
reedipdo you have any idea how to do it ?07:06
yushirolet me check more..  Is network_type is 'vxlan' ?07:08
reedipno07:08
yushiroWhat are you using 'network_type' ?07:08
reedipno this is not openstack :)07:08
yushironot openstack, OK07:09
reedipthis is a normal unix query :)07:09
yushiroVM:A and VM:B are private IP address, right?   and these VMs cannot access  from external HOST A/B07:10
reedipVM A , VM B are on Pvt IP address07:10
reedipThey are not Bridged , so VM B cannot be accessed from HOST A07:11
yushiroOK07:11
yushiroI think it is possible to communicate by setting  NAT(iptables) on HOST A and B07:12
reedippre routing and post-routing ?07:13
yushiroprerouting07:17
yushiroNAT and port forward07:17
reedippre routing in A and Post routing in B , right ?07:17
yushiroyes maybe.07:19
yushiroe.g. VMA -> VMB (http)    VMA tries to access  HOSTB:10080    In hostB, port-forwad should be set (host:10080 -> VMB:80 )07:21
reediphmm07:21
yushiroI think it's OK for same approach even if a protocol is icmp07:22
yushiroAlthough I don't fully understand your environment yet ;)07:23
reedipyushiro : but now we would have masquearading :)07:24
reedipsudo iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE -s X.X.X.X07:25
yushiroiptables -t nat -A PREROUTING -m tcp -p tcp --dst 192.168.1.30 --dport 1234 -j DNAT --to-destination 10.0.2.50:8007:30
yushiroiptables -t nat -A POSTROUTING -m tcp -p tcp --dst 10.0.2.50 --dport 80 -j SNAT --to-source 10.0.2.4007:30
yushiroI mean pre/post routing is like that07:30
reedipI got confused in the postrouting part07:32
yushiroprease read 192.168.1.30 and 10.0.2.40 are HOSTB addresses07:32
yushiroIf we don't do POSTROUTING, unknown source IP address exists for VMB07:33
yushiroHOST has 2 IP addresses ( Outside address and private address )07:34
reediphmm07:34
reedipis 192 the inside IP ?07:34
yushirochanging source IP address to HOST B's private IP address, VM B can understand where is source IP address.07:34
yushirono, outside07:34
yushiro10.0.2.40 is inside IP for HOSTB07:35
reedipok ...07:35
reediplemme check07:35
reedipso we have host B ( 192.168.1.30 ) with the VM deployed as 10.0.2.40 , right ?07:37
reedipor do you mean that host B has one IP to the external network ( 192.168.1.30 ) and one to the internal network ( 10.0.2.40 ) with the VM deployed as 10.0.2.5007:38
yushirooutside IP: 192.168.1.0,  VM IP: 10.0.2.007:38
yushiroah, latter case is correct07:38
reediphmm07:38
reediplet me try07:39
yushiroI think host as at least 1 private IP address to communicate to VM instances.07:39
reedipyeah07:39
yushiros/host/host has/07:39
reedipyushiro : the prerouting seems correct but the postrouting seems confusing still07:50
reedip iptables -t nat -A POSTROUTING -m tcp -p tcp --dst 10.0.2.50 --dport 80 -j SNAT --to-source 10.0.2.40    : Why would the --dst be 10.0.2.50 , wont it be --src ?07:51
yushirohmm, because VM:B cannot solve VM:A's IP address07:54
yushiroAs a result, reply from VM:B tries to send default gateway07:54
yushiroIn this case, they cannot communicate.07:55
reedip10.0.2.40 is the Pvt IP of HostB07:55
reedip10.0.2.50 is the IP of the VM B07:55
yushiroyes07:55
reedipif we consider 10.0.2.30 the IP of VM A07:55
reedipthen the postrouting on Host A would be iptables --table nat -A POSTROUTING --dst 10.0.2.50 --out-interface eth0 -j MASQUERADE -s 10.0.2.3007:56
reedipis that right ?07:56
yushirohmm, why you did MASQUERADE?  You said it has already configured.07:58
reedipno , it hasnt , I checked it now ...07:59
reedipI am trying to exepriment and not able to complete it.. thats why trying to understand07:59
reedipshould I not masquarade ?07:59
yushiroOK, what are you using hypervisor?08:01
yushiroKVM ?08:01
yushiroIf you use KVM and default network, no need to configure MASQUARADE.08:02
reedipvirtmanager08:02
reedipnot a default network08:02
reedipi mean libvirt08:02
yushiroOK08:02
yushiroCan VMA communicate with HOST B?08:03
yushiroor internet?08:03
reedipNope08:03
reedipit cannot08:04
reedipOk , I added a route and now it can08:06
yushiroIt's OK whatever VM can access to outside :)08:07
yushiroAfter that, adding above pre/post rule into iptables makes VM:A connect to VM:B with individual port (SSH, HTTP or ICMP)08:08
reedipbut I verified and now I can see that the IP is being masquaraded :)08:08
reedipran tcpdump on host A , and ran ping from VM A on HOST B : Seeing ICMP ECHO from Host A to Host  B :D08:09
reedippretty complicated , the virsh is08:09
yushiroin libvirt, all of VM IP address is Natted to host IP address I think08:10
yushirothat is masquarade08:10
reedipYes , I think so too08:10
yushiroSo, you can add SNAT DNAT rule into pre/post  for individual port number.08:10
reedipHmm ...08:10
reedipok08:10
yushiroand pass filter for FORWARD table08:11
reedipyushiro : thanks a lot .. I will ping you if there is any further issue08:14
reedip:)08:14
yushiroOK.  Sorry for confusing my unstable English ...08:14
reedipno, its good :)08:16
yushirothanks08:17
*** openstackgerrit has quit IRC08:33
reedipyushiro what did you say about the Forward table ?10:29
*** chandanc has quit IRC11:12
*** openstackgerrit has joined #openstack-fwaas11:19
openstackgerritYAMAMOTO Takashi proposed openstack/neutron-fwaas-dashboard master: tox_install: Don't leave IFS set  https://review.openstack.org/48997711:19
openstackgerritHunt Xu proposed openstack/neutron-fwaas master: Use configurable conntrack driver in fwaas_v2  https://review.openstack.org/48998011:26
*** vks1 has quit IRC11:52
*** yamamoto has quit IRC13:02
*** yamamoto has joined #openstack-fwaas13:18
*** yamamoto has quit IRC13:55
-openstackstatus- NOTICE: We have disable infracloud-vanilla due to the compute host running mirror.regionone.infracloud-vanilla.o.o being offline. Please recheck your failed jobs to schedule them to another cloud.13:56
*** reedip_ has joined #openstack-fwaas14:46
reedip_hey14:46
*** yamamoto has joined #openstack-fwaas14:55
xgerman_hi14:56
*** yamamoto has quit IRC15:00
*** chandanc has joined #openstack-fwaas15:14
*** chandanc has quit IRC15:25
*** vks1 has joined #openstack-fwaas15:26
reedip_whats up ?15:27
*** reedip_ has quit IRC15:32
xgerman_the usual… lot’s of work… let me know if you need any help…15:43
*** Tim_Eberhard has joined #openstack-fwaas16:48
*** vks1 has quit IRC17:53
*** Tim_Eberhard has quit IRC18:27
*** Tim_Eberhard has joined #openstack-fwaas18:28
*** Tim_Eberhard has quit IRC18:28
*** vishwana_ has joined #openstack-fwaas20:23
*** vishwanathj has quit IRC20:26
*** yamamoto_ has joined #openstack-fwaas21:08
*** yamamoto_ has quit IRC21:15
*** yamamoto_ has joined #openstack-fwaas21:17
*** Tim_Eberhard has joined #openstack-fwaas21:26
*** Tim_Eber_ has joined #openstack-fwaas21:27
*** Tim_Eber_ has quit IRC21:28
*** Tim_Eberhard has quit IRC21:30
*** vishwana_ has quit IRC21:45
*** vishwanathj has joined #openstack-fwaas21:45
*** vishwanathj has quit IRC22:16
*** vishwanathj has joined #openstack-fwaas22:16
openstackgerritYAMAMOTO Takashi proposed openstack/neutron-fwaas-dashboard master: tox_install: Don't leave IFS set  https://review.openstack.org/48997722:19
*** yamamoto_ has quit IRC22:29
*** yamamoto has joined #openstack-fwaas22:32
*** yamamoto has quit IRC22:36
*** yamamoto has joined #openstack-fwaas22:41
*** yamamoto has quit IRC22:44
*** yamamoto has joined #openstack-fwaas22:56
*** yamamoto has quit IRC23:11
*** yamamoto has joined #openstack-fwaas23:14
« Tuesday, 2017-08-01 Index Thursday, 2017-08-03 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!