Monday, 2017-10-16

« Sunday, 2017-10-15 Index Tuesday, 2017-10-17 »
*** hoangcx has joined #openstack-fwaas01:01
*** yamamoto has joined #openstack-fwaas01:21
*** annp has joined #openstack-fwaas02:23
*** yamamoto_ has joined #openstack-fwaas02:36
*** yamamoto has quit IRC02:39
*** annp has quit IRC03:00
*** annp has joined #openstack-fwaas03:35
annpreedip, ping03:36
openstackgerritNguyen Phuong An proposed openstack/neutron-fwaas master: Adding unique attribute for port_id  https://review.openstack.org/51215403:49
*** yushiro has joined #openstack-fwaas04:25
openstackgerritNguyen Phuong An proposed openstack/neutron-fwaas master: Adding unique attribute for port_id  https://review.openstack.org/51215404:39
*** vks1 has joined #openstack-fwaas04:46
*** hoangcx has quit IRC05:11
*** hoangcx has joined #openstack-fwaas05:14
annpyushiro, ping.06:09
yushiroannp, pong06:22
*** carl_baldwin has quit IRC06:24
annpHave you check my comment in ovs driver patch?06:26
*** carl_baldwin has joined #openstack-fwaas06:26
annpyushiro, have you check my comment in ovs driver patch?06:26
yushiroNo not yet.  I"ll check it.06:26
yushiroannp, In addition, we considerd DB unique constraint for firewall_group_port_association_v2, I think it's OK to merge later.06:27
yushiroping ivasilevskaya06:28
*** openstackgerrit has quit IRC06:28
reedipannp : poing06:29
yushiroannp, I wonder ivasilevskaya's comment on L2-agent patch.  Do you think that is it possible to change state 'PENDING_CREATE' with no error?06:30
yushiros/PENDING_CREATE/PENDING_UPDATE06:30
annpyushiro, assuming ivasilevskaya is using noop driver, So from my understanding, we always update firewall group status with status ACTIVE or INACTIVE, otherwise nothing.06:36
yushiroannp, Yeah, noop driver never changes the fwg state.06:38
*** AlexeyAbashkin has joined #openstack-fwaas06:39
annpyushiro, Have you met her situation while you tested with your local environment?06:40
annpyushiro, I'd suggest we should merge patch https://review.openstack.org/512154 first to avoid issues related to concurrency, something like we couldn't expected.06:43
annpyushiro, do you think so?06:44
yushiroannp, No not yet.  I've tested with no error except DB duplication now.06:44
yushiroannp, Yes, I think so.  I think it's OK to put +2  though l2-agent patch is mine ;)06:45
yushiroannp, Hence, you don't need to update https://review.openstack.org/#/c/512154/ ASAP.06:45
yushiroIt's not so urgent.06:46
*** AlexeyAbashkin has quit IRC06:46
annpyushiro, OK. I got it.06:47
yushiroannp, BTW, have you tested L2-agent patch?06:48
annpyushiro, I haven't tested it with ivasilevskaya's case yet. I just create a firewall group and then set port to the firewall group. L2 agent patch works fine for me. That's all06:50
yushiroannp, OK, I'll put comment about what I tested for l2-agent.06:52
yushiroThen, I'll put +206:52
yushiroah, will take a look for ovs driver patch either.06:53
annpyushiro, thanks06:53
annpyushiro, :)06:53
*** vks1 has quit IRC06:59
*** openstackgerrit has joined #openstack-fwaas07:02
openstackgerritNguyen Phuong An proposed openstack/neutron-fwaas master: Adding unique contraint for port_id  https://review.openstack.org/51215407:02
ivasilevskayaHi guys07:05
ivasilevskayaI believe the issue I found is a bug but unrelated to l2 agent patch07:06
ivasilevskayaWill work on clear repro07:06
ivasilevskayaI have my concerns about ovs driver, did you verify the generated openflow rules on br-int for correctness?07:07
*** vks1 has joined #openstack-fwaas07:13
ivasilevskayaannp: as for your suggestion to rename tables that's just what I offered to do several patchsets ago put we need to make sure they don't overlap with neutron's tables for ovs firewall07:22
ivasilevskayaannp: yeah, it's ok, we should be fine - neutron's tables start from table 7107:23
ivasilevskayabut overall I would not be in a haste to merge ovs driver - there are a ton of cases to test and I couldn't even get it working yet on my test bed (no flows are generated upon adding a port to firewall group)07:24
ivasilevskayaannp: have you tried ovs driver patch on devstack with neutron's ovsfw security groups driver?07:25
*** yamamoto_ has quit IRC07:35
*** AlexeyAbashkin has joined #openstack-fwaas07:38
*** vks1 has quit IRC08:22
*** yamamoto has joined #openstack-fwaas08:36
annpivasilevskaya, From my understanding, we will ignore interact between fwg and security group if  firewall_l2_driver is configured: 'ovs' at the moment.08:39
ivasilevskayaannp: I'd say that's an awful idea but let it be. Did you verify openflow rules on br-int?08:39
annpivasilevskaya, sorry, I haven't verify it yet.08:40
ivasilevskayaannp: at least did you check that they are generated at all?08:40
ivasilevskayaannp: in case "you add an active vm's port to firewall group"08:41
annpivasilevskaya, ah, I just tested with this case. I saw in firewall rule flows in br-int.08:41
*** yamamoto has quit IRC08:42
annpivasilevskaya, however, I haven't verified these flows is correct or not. Have you verified that?08:42
ivasilevskayaannp: the flows aren't generated at all on my env. I'm investigating08:43
annpivasilevskaya, could you share with me your firewall rule?08:43
ivasilevskayaannp: I believe we need a fullstack test that creates fwg, boots a vm, adds its port to fwg and verifies that vm's accessibility (by ssh or icmp) changes appropriately08:44
*** vks1 has joined #openstack-fwaas08:44
ivasilevskayaannp: are there fullstack tests in fwaas?08:44
annpivasilevskaya, unfortunately, There are no fullstack tests in fwaas :(08:46
annpivasilevskaya, have you familiar with fullstack test?08:46
ivasilevskayaannp with neutron's08:47
annpivasilevskaya, Great! It would be great if you bring fullstack to fwaas. :)08:48
annpivasilevskaya, Regarding to  "the flows aren't generated at all on my env". Have you added firewall rule with action='allow' to your test?08:50
ivasilevskayaannp: hm, I have both allow and deny in my test. But are you saying that deny rules won't be generated? Why not generate the flow and have explicit action=drop?08:53
annpivasilevskaya, yes, deny rule won't generated. Because our ovs driver based on ovsfw driver for security group. In case security group, we don't have any security group with action drop and deny or deny.08:56
annpivasilevskaya, that is current design ovs driver implementation.08:58
annpivasilevskaya, that is current design of ovs driver implementation.08:58
ivasilevskayaannp: ok, got it. I thought sth has changed since I ported upstream ovsfw code08:59
annpivasilevskaya, yes. I just add small thing to making ovs driver just running. :)09:01
annpivasilevskaya, Today, I'm quite busy with another thing. So could you update ovs driver patch?09:02
ivasilevskayaannp: you mean table numbers?09:02
ivasilevskayaI'll do this, no problem09:03
annpivasilevskaya, yes, table number and verifying firewall rule flows in br-int or something if you want to change.09:03
ivasilevskayaannp: if there's no fullstack mechanism in fwaas yet that's a whole new big change09:04
*** yamamoto has joined #openstack-fwaas09:04
annpivasilevskaya, thanks for great help.09:04
ivasilevskayaannp: so I believe we need to think how to thoroughly test ovs driver another way09:04
ivasilevskayaannp: but I'll see what I can do. Though I personally don't believe it can be merged in the timeframe we are given09:05
annpivasilevskaya, yes. at least functional test, I guest09:05
annpivasilevskaya, Yep. But at least we can try ...:)09:06
*** yamamoto has quit IRC09:09
annpivasilevskaya, Can you share with us your testing and result on google doc or something? So other reviewers can follow and give us suggestion or ...09:11
annpivasilevskaya, How do you think? :)09:11
ivasilevskayaannp it depends if I won't switch to another project) Hardening fwaas was kind of a poc, and the proper testing will require more than 3 days I have till the end of this task09:13
*** yamamoto has joined #openstack-fwaas09:13
annpivasilevskaya, I got it. I hope you won't switch to another project. :)09:19
*** AlexeyAbashkin has quit IRC09:53
yushiroHi ivasilevskaya09:53
ivasilevskayahi yushiro09:53
*** AlexeyAbashkin has joined #openstack-fwaas09:53
yushiroDid you check /etc/neutron/plugins/ml2/ml2_conf.ini  in [securitygroup] section?   In order to test l2-agent patch,  we need to change 'firewall_driver = openvswitch'  from 'firewall_driver = iptables_hybrid'.09:54
yushiroI'm so sorry,  I forgot to mention about that in the etherpad[1] https://etherpad.openstack.org/p/fwaas-v2-l209:55
ivasilevskayayushiro why do we need to change the driver?09:55
ivasilevskayaannp said he didn't test with neutron's ovsfw driver09:55
yushiroivasilevskaya, ah, sorry.  I replied to your comment "the flows aren't generated at all on my env. I'm investigating" .09:56
ivasilevskayayushiro, I'm a bit confused. Do you say that we MUST change neutron's security driver to ovsfw to test fwaas ovs driver?09:57
yushiroivasilevskaya, I said misunderstanding comment, sorry.  No need to change security driver to test fwaas OVS driver only.09:58
ivasilevskayayushiro, ok, got it. Thanks!09:59
yushiroivasilevskaya, I thought that we should take care of co-existing case both SG and FW in br-int.09:59
annpyushiro, did you test with ovs driver?10:00
annpyushiro, will we consider about co-existing later?10:01
yushiroannp, I didn't.  I just focused on l2-agent behavior.10:01
yushiroannp, I believe that FW wins if co-existing case.  I'd like to verify at once.10:02
annpyushiro, ah, same to me. I'm building local environment and let me see.10:02
yushiroannp, How we can check flow-rule?   ovs-ofctl dump-flows br-int ?10:03
annpyushiro, yes, fwaas alayws win. :)10:03
annpyushiro, sudo ovs-ofctl dump-flows br-int10:03
yushiroannp, If so, I think it can work correctly (As I expected).10:04
yushiroannp, aha, I forgot to specify 'sudo'10:04
yushiroSo, we can test all patterns for firewall_rule  like protocol, action, source/dest_port, source/dest_ip_address and ip_version.10:05
annpyushiro, please make sure your firewall rules have at least once allow rule.10:05
yushiroannp, +110:06
annpyushiro, :) thanks.10:06
yushiroannp, In addition, plz check following case:   fwg with ingress policy, port but no firweall_rule in the policy.10:07
yushiroI'll leave this IRC and will come back...  see you.10:09
annpyushiro,  you mean in this case we should allow all ingress connection, right?10:09
yushiroannp, Hmm,10:10
yushiroannp, no.  If there is no rule, no traffic should allow.10:10
yushiroannp, If firewall policy doesn't include any rule, what ovs driver will work ?10:11
yushiroOnly default rule is configured or nothing to configure ?10:11
annpyushiro, if firewall policy has no rule, ovs driver will drop all. I think.10:11
yushiroannp, OK, that's as I expected.  Anyway, will consider .10:12
annpin ovs driver side, they only take care allow rules. Otherwise nothing.10:12
yushiroHowever, in driver side, there is 'default rule', isn't it?10:13
annpyushiro, there is some rule for dhcp, arp, .. and drop rules. We should only focus to table=41,42,43 and table=51, 5210:17
yushiroannp, yeah10:18
*** yushiro has quit IRC10:23
*** openstackgerrit has quit IRC10:33
*** annp has quit IRC10:57
*** annp has joined #openstack-fwaas11:02
*** AlexeyAbashkin has quit IRC11:04
*** vks1 has quit IRC11:13
*** AlexeyAbashkin has joined #openstack-fwaas11:20
*** annp has quit IRC11:21
*** yamamoto has quit IRC11:38
*** yamamoto has joined #openstack-fwaas11:58
*** yamamoto has quit IRC12:21
*** hoangcx_ has joined #openstack-fwaas12:46
*** yamamoto has joined #openstack-fwaas12:52
ivasilevskayaannp: I solved my env trouble but no good news from my side: my first manual test failed.12:55
ivasilevskayaTest: create 3 networks, security group with all allowed, firewall group with 1 ingress policy that allows icmp, boot 3 vms, verify that vms can be reached from dhcp namespace. Then add 1 vm port to firewall group, try pinging it from dhcp namespace - no connectivity (http://paste.openstack.org/show/623717/)12:55
ivasilevskayaafter running unset --port VMPORT vm can be reached again. So I suspect fwaas ovs driver12:56
ivasilevskayaBTW guys xgerman_ yamamoto reedip annp After gate trouble recheck didn't remove -1 from zuul. How can this be solved? We wanted to merge some patches today iirc like https://review.openstack.org/#/c/425769/12:58
*** Aju has joined #openstack-fwaas13:46
*** afranc has quit IRC13:48
*** hoangcx_ has quit IRC13:50
*** hoangcx_ has joined #openstack-fwaas13:51
xgerman_I think we need to recheck until we hit a good env — on the LBaaS side Michael was battling mismatched qemu/kvm settings ind evstack all weekend14:05
*** yamamoto has quit IRC14:07
*** vks1 has joined #openstack-fwaas14:15
*** vks1 has quit IRC14:19
*** vks1 has joined #openstack-fwaas14:21
*** vks1 has quit IRC14:29
*** vks1 has joined #openstack-fwaas14:44
*** yamamoto has joined #openstack-fwaas15:08
*** yamamoto has quit IRC15:14
*** yamamoto has joined #openstack-fwaas16:10
*** hoangcx_ has quit IRC16:14
*** yamamoto has quit IRC16:15
*** AlexeyAbashkin has quit IRC16:36
*** yamamoto has joined #openstack-fwaas17:12
*** yamamoto has quit IRC17:18
*** vks1 has quit IRC17:37
*** AlexeyAbashkin has joined #openstack-fwaas17:59
*** AlexeyAbashkin has quit IRC18:03
*** yamamoto has joined #openstack-fwaas18:14
*** yamamoto has quit IRC18:19
*** yamamoto has joined #openstack-fwaas19:15
*** yamamoto has quit IRC19:20
*** yamamoto has joined #openstack-fwaas20:17
*** yamamoto has quit IRC20:22
*** yamamoto has joined #openstack-fwaas21:18
*** yamamoto has quit IRC21:24
xgerman_ivasilevskaya looks like we are failing on http://logs.openstack.org/69/425769/55/check/openstack-tox-py35/9af7fd3/job-output.txt.gz#_2017-10-16_14_22_01_40234421:27
xgerman_I am not sure if that is legit or a zuul thing…21:27
xgerman_reedip, yushiro: We have  a few days more time to get things merged… mlavalle will check midweek again21:28
*** yamamoto has joined #openstack-fwaas22:21
*** yamamoto has quit IRC22:26
*** lnicolas has joined #openstack-fwaas23:07
*** yamamoto has joined #openstack-fwaas23:22
*** yamamoto has quit IRC23:28
« Sunday, 2017-10-15 Index Tuesday, 2017-10-17 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!