*** SumitNaiksatam_ has joined #openstack-fwaas | 01:32 | |
*** SumitNaiksatam has quit IRC | 01:35 | |
*** SumitNaiksatam_ is now known as SumitNaiksatam | 01:35 | |
*** annp has joined #openstack-fwaas | 02:42 | |
*** yamamoto has joined #openstack-fwaas | 02:45 | |
*** lnicolas has joined #openstack-fwaas | 03:47 | |
*** annp has quit IRC | 04:49 | |
*** hoangcx has quit IRC | 04:51 | |
*** hoangcx has joined #openstack-fwaas | 05:13 | |
*** eezhova has joined #openstack-fwaas | 06:16 | |
*** eezhova has quit IRC | 06:56 | |
*** eezhova has joined #openstack-fwaas | 07:33 | |
*** yamamoto has quit IRC | 09:24 | |
*** yamamoto has joined #openstack-fwaas | 09:41 | |
*** yamamoto has quit IRC | 09:46 | |
*** yamamoto has joined #openstack-fwaas | 09:46 | |
*** yamamoto has quit IRC | 09:51 | |
*** yamamoto has joined #openstack-fwaas | 10:00 | |
*** ivasilevskaya has quit IRC | 10:36 | |
*** ivasilevskaya has joined #openstack-fwaas | 11:54 | |
*** eezhova_ has joined #openstack-fwaas | 13:03 | |
*** eezhova has quit IRC | 13:05 | |
*** yamamoto has quit IRC | 13:16 | |
*** yamamoto has joined #openstack-fwaas | 13:35 | |
*** lnicolas has quit IRC | 13:45 | |
*** SarathMekala has joined #openstack-fwaas | 13:53 | |
*** chandanc has joined #openstack-fwaas | 14:04 | |
openstackgerrit | Sarath Chandra Mekala proposed openstack/neutron-fwaas-dashboard master: FWaaS V2 Horizon Dashboard https://review.openstack.org/475840 | 14:06 |
---|---|---|
*** chandanc has quit IRC | 14:08 | |
*** reedip_ has joined #openstack-fwaas | 14:19 | |
reedip_ | meeting is on thursday , guys | 14:20 |
reedip_ | jfyi | 14:20 |
SarathMekala | oh.. ok.. thanks for the info | 14:20 |
reedip_ | i think i sent the email ? | 14:20 |
SarathMekala | was wondering what happened :) | 14:20 |
SarathMekala | i may have missed it.. was on vacation last week | 14:21 |
reedip_ | :D | 14:21 |
SarathMekala | is it the same time? | 14:21 |
reedip_ | yep | 14:22 |
reedip_ | but on #openstack-fwaas | 14:22 |
reedip_ | i.e. this channel | 14:22 |
SarathMekala | ok.. thanks | 14:23 |
reedip_ | np :) | 14:23 |
*** SarathMekala has quit IRC | 14:23 | |
*** yamamoto has quit IRC | 14:26 | |
*** eezhova_ has quit IRC | 14:26 | |
*** reedip_ is now known as reedip_afk | 14:27 | |
*** reedip_afk has quit IRC | 14:35 | |
*** reedip_afk has joined #openstack-fwaas | 14:45 | |
*** reedip_afk has quit IRC | 15:13 | |
*** reedip_ has joined #openstack-fwaas | 15:14 | |
*** reedip_ has quit IRC | 15:15 | |
*** reedip_ has joined #openstack-fwaas | 15:15 | |
*** yamamoto has joined #openstack-fwaas | 15:26 | |
*** yamamoto has quit IRC | 15:34 | |
*** reedip_ has quit IRC | 15:51 | |
*** reedip_ has joined #openstack-fwaas | 15:55 | |
openstackgerrit | Inessa Vasilevskaya proposed openstack/neutron-fwaas master: Introduce default firewall groups https://review.openstack.org/425769 | 16:00 |
reedip_ | ivasilevskaya : hi , what did you change in the current patch ? | 16:07 |
ivasilevskaya | reedip_ most major thing - I brought back ensure_default_fwg flag in create_firewall_group | 16:08 |
reedip_ | ivasilevskaya : exactly, I am thinking why :) | 16:08 |
ivasilevskaya | I removed it arounf PS 33 and that wasn't a clever thing to do | 16:08 |
reedip_ | I am not sure about the importance of the default_fwg attribute in create_firewall_group | 16:09 |
ivasilevskaya | well it is useful to know whether we are dealing with default fwg or not when we are inside create firewall group | 16:09 |
ivasilevskaya | during debugging and to align with neutron SG | 16:10 |
reedip_ | brb | 16:10 |
ivasilevskaya | I had my doubts but yushiro's comment solved them. Are you stricty against it? | 16:11 |
ivasilevskaya | strictly* | 16:11 |
reedip_ | ivasilevskaya : question . Do we need to be Exactly a duplicate of SG ? :) | 16:11 |
ivasilevskaya | of course no | 16:11 |
reedip_ | I am not against it, but I dont find it very useful. I think it can be handled in other sense as well | 16:11 |
reedip_ | ok, one question , in Line#1047 , you put _ensure_firewall_group | 16:12 |
reedip_ | https://review.openstack.org/#/c/425769/45..46/neutron_fwaas/db/firewall/v2/firewall_db_v2.py@1047 | 16:12 |
reedip_ | Earlier it was _create | 16:12 |
reedip_ | Now, if the default fwg doesnt exist, _ensure wont create the default fwg , would it ? | 16:13 |
ivasilevskaya | no it will of course | 16:13 |
ivasilevskaya | it's ensure because it make sure that default fwg is there :) | 16:13 |
reedip_ | oh .. damn, I skipped a part of the code.. wait lemme recheck :) | 16:13 |
ivasilevskaya | makes* sorry my keyboard needs cleaning | 16:13 |
ivasilevskaya | it would be cool if you could test it on devstack too. I'm coming up with the brand new env so it will take some time | 16:14 |
reedip_ | ok, I see you added a return of the fwg id. I think its a good addition, but it is not being consumed anywhere right now. | 16:15 |
reedip_ | :) | 16:15 |
reedip_ | ivasilevskaya : but I have one issue | 16:16 |
reedip_ | ivasilevskaya : you see you have already setup everything for creating the default fwg in _ensure_default_firewallgroup | 16:18 |
reedip_ | ivasilevskaya : I commented. I am very much inclined to fix it, but I would not like to take it away from your hands . You are doing an exceptional job, and I am learning a few things from you :) | 16:26 |
*** eezhova has joined #openstack-fwaas | 16:41 | |
*** SumitNaiksatam has quit IRC | 16:48 | |
ivasilevskaya | reedip_ don't make me blush :) | 16:55 |
ivasilevskaya | reedip_ I've answered your comments | 16:56 |
reedip_ | naah , its a fact :) | 16:56 |
reedip_ | ok, lemme check | 16:56 |
reedip_ | ivasilevskaya : Mentioned back to you :) | 17:10 |
reedip_ | ivasilevskaya : We already have the check for the user in https://review.openstack.org/#/c/425769/46/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@224 | 17:12 |
reedip_ | ivasilevskaya : and the DB functions are called AFTER the plugin | 17:13 |
reedip_ | ivasilevskaya : so I am still not sure if we need to guard it or not.... | 17:13 |
reedip_ | IMHO I dont think its required. I am still open to it but need a better case to be properly convinced :) | 17:14 |
ivasilevskaya | reedip_ that's different. This create_firewall_group will be called as a result of user request but has nothing to do with default group creation on list command | 17:15 |
*** SumitNaiksatam has joined #openstack-fwaas | 17:15 | |
reedip_ | ivasilevskaya : ok, but the reason why you have the default_fwg attribute is to guard against user requests, right? | 17:15 |
reedip_ | * the default_Fwg attribute in the create_firewall_group() function * | 17:16 |
ivasilevskaya | not to guard only but to differentiate between 2 behaviors - system one (creation on list) and user one | 17:16 |
reedip_ | exactly. The user wont be able to reach here, because the plugin is already guarding the DB | 17:16 |
reedip_ | so the user one wont reach here, and therefore we do not need to have 2 different behaviors. We can keep them similar. Because "default" would only be requested by system. Not user. | 17:17 |
ivasilevskaya | I believe the best solution to this dilemma is you push a patch and fix it the way you like and then other people vote for the approach they like more | 17:20 |
reedip_ | ivasilevskaya : yes, but I think if I can convince you, then it would be easier for me in the long run :) | 17:21 |
reedip_ | I dont disagree with your point but I do find that this is not necessary when the code flow wont ever hit it | 17:22 |
ivasilevskaya | reedip_ the test coverage is pretty poor so no one can be sure how code exactly flows :( | 17:22 |
reedip_ | if there is a flow where in the DB would be accessed before the Plugin, then I am for sure going to take up the default_fwg attribute. But as far as I can see, it wont | 17:22 |
reedip_ | ivasilevskaya : yes, we need some tempest test cases. Let me start working on tempest scenarios for this then. Then maybe we can experiment with it. | 17:23 |
*** eezhova has quit IRC | 17:23 | |
ivasilevskaya | reedip_ I just note that this stuff was introduced by yushiro originally. Maybe for a stronger reason than I described. That was me who removed this logic so I thought it would be right if I brought it back | 17:24 |
reedip_ | but do know that we have less than 2 weeks for Q1 and if we do not close the patches, within 2-4 weeks, we would be in deep trouble | 17:24 |
reedip_ | ivasilevskaya : Ok, let me discuss with yushiro on Thuirsday during the weekly meeting then | 17:24 |
ivasilevskaya | I believe the fastest way is "you file a PS with a comment", he comes and resolves a matter tomorrow :) | 17:25 |
reedip_ | if he comes tomorrow .. he has been a bit busy. I will do it though | 17:26 |
reedip_ | I will make a PS tomorrow evening, so that Thursday we have tme to discuss | 17:26 |
ivasilevskaya | reedip_ just make sure that test pass, please, so that no patchsets to fix tests follow. It will make the comparison a bit easier for reviewers | 17:27 |
reedip_ | I remember your shouting in the other PS.. ;) | 17:28 |
ivasilevskaya | reedip_ so sorry | 17:29 |
reedip_ | naah , you are correct... | 17:29 |
reedip_ | anyways, I better go.. today was leg day at the gym and now its taking its toll... good night, I will follow up with the PS tomorrow | 17:30 |
*** reedip_ is now known as reedip_leaving | 17:30 | |
ivasilevskaya | reedip_ good night) | 17:30 |
*** reedip_leaving has quit IRC | 17:35 | |
ivasilevskaya | Oh, cool, non-admin user can easily destroy default fwg by updating egress\ingress policy with --no-firewall-rule | 17:53 |
ivasilevskaya | I believe default policy access isn't checked at all | 17:55 |
*** eezhova has joined #openstack-fwaas | 19:15 | |
ivasilevskaya | don't know when did that break but I added a couple of UT | 19:17 |
*** eezhova has quit IRC | 20:09 | |
openstackgerrit | Inessa Vasilevskaya proposed openstack/neutron-fwaas master: Introduce default firewall groups https://review.openstack.org/425769 | 20:32 |
*** ivasilevskaya has quit IRC | 20:47 | |
*** SumitNaiksatam has quit IRC | 23:06 | |
*** lnicolas has joined #openstack-fwaas | 23:27 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!