| *** yamamoto has joined #openstack-fwaas | 00:24 | |
| *** yamamoto has quit IRC | 00:29 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 00:48 | |
| *** AlexeyAbashkin has quit IRC | 00:52 | |
| *** bzhao has joined #openstack-fwaas | 01:16 | |
| *** yamamoto has joined #openstack-fwaas | 01:24 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 01:28 | |
| *** AlexeyAbashkin has quit IRC | 01:32 | |
| *** annp has joined #openstack-fwaas | 02:16 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 02:27 | |
| *** AlexeyAbashkin has quit IRC | 02:31 | |
| *** annp has quit IRC | 02:34 | |
| *** jhesketh has quit IRC | 02:35 | |
| *** jhesketh has joined #openstack-fwaas | 02:38 | |
| *** annp has joined #openstack-fwaas | 03:15 | |
| *** lnicolas has quit IRC | 03:23 | |
| *** lnicolas has joined #openstack-fwaas | 03:23 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 03:26 | |
| *** AlexeyAbashkin has quit IRC | 03:31 | |
| reedip | xgerman_ checking the failure | 03:41 |
|---|---|---|
| xgerman_ | thx — I a swamped at work and only could look cursory… not sure if this is a result of zuul or a change to privsep we missed… | 03:43 |
| reedip | seems zuul based | 03:53 |
| *** AlexeyAbashkin has joined #openstack-fwaas | 04:26 | |
| *** lnicolas has quit IRC | 04:29 | |
| *** AlexeyAbashkin has quit IRC | 04:31 | |
| *** bzhao has quit IRC | 05:50 | |
| *** vks1 has joined #openstack-fwaas | 06:45 | |
| annp | ivasilevskaya, ping | 07:00 |
| annp | reedip, ping | 07:02 |
| reedip | annp pong : sorry a buit busy recovering iscsi connection in cinder so will look into your request in a bit | 07:02 |
| annp | reedip, I have small question | 07:03 |
| reedip | yes , please ask | 07:03 |
| annp | reedip, If user'd prefer use firewall group, that mean user should be disable security group, right? | 07:05 |
| reedip | thats a user choice... firewalls can be placed in front of router interfaces as well, security groups cant be | 07:05 |
| reedip | so I will not say that user should disable security groups | 07:06 |
| annp | reedip, yes you're right. | 07:07 |
| annp | reedip, however if user enable firewall l2 driver, then user should disabled security group. | 07:09 |
| reedip | my question, why ... Because this information needs to be written in the ReleaseNote or API Ref guide or somewhere | 07:10 |
| annp | reedip, Currently ovs_driver couldn't work as our expected because concurrency process between fwg and sg | 07:11 |
| reedip | annp : ok | 07:11 |
| annp | reedip, It should be noted in Release note as you said. | 07:12 |
| reedip | annp: so this concurrency process is being introduced by us , the FWaaS team | 07:13 |
| annp | reedip, Yes. That's all :) | 07:13 |
| reedip | annp : users who use security groups and want to use FWaaS may not find this a good thing to look at | 07:14 |
| reedip | SGs have been verified by the users themselves | 07:14 |
| reedip | they have tried it | 07:14 |
| reedip | in that sense , if we ask the users to disable SGs would not be easy for them | 07:15 |
| annp | reedip, sorry, I couldn't get your point here. Can you explain more detail for me | 07:18 |
| annp | who will configured firewall_l2_driver and secuirty_group driver? | 07:19 |
| reedip | annp : if a user has been using SGs since Mitaka/Newton, and wants to use FWaaS v2 with L2, then he has to disable SGs. Also he has to apply the same rules which he created for SGs to Firewalls and expect the same or better behavior | 07:19 |
| reedip | annp : the practical implementation in an already deployed cloud for this behavior would be tricky, because users who have used SGs would not like to use FWaaS if that requires the users to disable the already tested SGs | 07:20 |
| reedip | for them , FWaaS is not as stable ( until they have used it themselves ) as much as SGs is | 07:20 |
| annp | reedip, yes. So we should make ovs driver can be worked co-existing with security group, right? | 07:22 |
| reedip | if it can be possible, then it would be better | 07:22 |
| reedip | thats is from my opinion in terms of usage .... I dont know yet if that is possible since I havebnt reviewed the latest patches ... :( | 07:22 |
| annp | current ovs driver couldn't! :( | 07:23 |
| annp | reedip, thanks for discussion. I will comment on ovs driver to add release note. | 07:27 |
| *** AlexeyAbashkin has joined #openstack-fwaas | 07:34 | |
| reedip | annp : mention not :) | 07:39 |
| annp | reedip :) | 07:41 |
| *** yamamoto has quit IRC | 08:47 | |
| *** yamamoto has joined #openstack-fwaas | 08:55 | |
| *** yamamoto has quit IRC | 08:55 | |
| ivasilevskaya | hi guys | 09:12 |
| ivasilevskaya | annp I see you think that enabled security groups are to blamed in my failed test case, right? | 09:12 |
| ivasilevskaya | annp: actually disabling security groups never crossed my mind - why would we want to do that if by spec fwaas is supposed to work along with SG? | 09:13 |
| ivasilevskaya | annp: I'm not talking about SG with ovsfw driver here, but plain SG with iptables_hybrid driver | 09:14 |
| *** yamamoto has joined #openstack-fwaas | 09:15 | |
| annp | ivasilevkaya, hi | 09:15 |
| annp | ivasilevskaya, regarding to "I see you think that enabled security groups are to blamed in my failed test case, right?", I think so. | 09:16 |
| annp | ivasilevskaya, working co-existing with sg should be consider in fwaas in near future. | 09:18 |
| ivasilevskaya | annp: I'm afraid I'll disappoint you - I disabled SG api, restarted ovs-agent and neutron server and still no connectivity | 09:18 |
| ivasilevskaya | annp: so I would not be in such a haste to blame SG for that | 09:19 |
| ivasilevskaya | annp: did you trace the packet flow? I see no problems for the packets to get to table 60 | 09:19 |
| annp | ivasilevskaya, really? could you share with me your ovs-flows? | 09:19 |
| annp | ivasilevskaya: did you see any flows like cookie=0xe3bbe9e2890eb04e, duration=10.356s, table=60, n_packets=0, n_bytes=0, priority=101,in_port="tap8f97faca-a1" actions=load:0x9->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,64)? | 09:20 |
| ivasilevskaya | annp: http://paste.openstack.org/show/623802/ | 09:20 |
| annp | ivasilevskaya, have you tried to change number of fw tables? | 09:21 |
| ivasilevskaya | annp: yes I did that as you can see | 09:21 |
| ivasilevskaya | annp: oh wait | 09:21 |
| ivasilevskaya | annp: you have ovs 2.8.1 | 09:21 |
| ivasilevskaya | annp: I have ovs 2.6. in_port=NAME_OF_DEVICE looked too strange for me so I switched to the version I'm used to. This may be out of scope of course, but just fyi | 09:22 |
| ivasilevskaya | annp: Did you make my test case work by disabling SG? If not - let's NOT make any assumptions and changes to the patch before we sort out this very failing case | 09:23 |
| annp | ivasilevskaya, lets me know your use case I can test now. | 09:25 |
| ivasilevskaya | annp: I gave a setup env script and test description in comments to PS | 09:26 |
| annp | I saw all packets go to table=61 not match with any flows rule before drop flows. | 09:26 |
| ivasilevskaya | annp: exactly. So I believe our pipeline is to blame and not SG at all | 09:26 |
| annp | ivasilevskaya, ok! | 09:27 |
| annp | ivasilevskaya, please give me some minute. I'm trying your test | 09:27 |
| ivasilevskaya | annp: as for the repro - you can run my setup env script, verify that you have connectivity (ping vms from dhcp namespace for example). Then run openstack firewall group set --port port100500 mac_sg and check connectivity again | 09:28 |
| ivasilevskaya | annp: you'll have none till you do unset --port | 09:28 |
| ivasilevskaya | Once I get to the office I'll be more available, maybe in a couple of hours I can be fully in debugging this stuff. | 09:30 |
| annp | ivasilevskaya, I tried to run your script but not successful. So May I create 2 vm 1 and vm2, icmp-ingress-allow, icmp-egress-allow, a firewall group, try to ping from vm1 to vm2 it's ok? | 09:41 |
| annp | ivasilevskaya, I have tested it and got same your issue. :( | 10:07 |
| annp | ivasilevskaya, if you fixed your problem, please also fixed my comments about priority, and table number. Tomorrow, I'll spend more time for ovs driver. I'm leaving office. | 10:17 |
| *** yamamoto has quit IRC | 10:18 | |
| *** annp has quit IRC | 10:19 | |
| *** yamamoto has joined #openstack-fwaas | 10:25 | |
| *** yamamoto has quit IRC | 10:30 | |
| *** ivasilevskaya has quit IRC | 10:35 | |
| *** ivasilevskaya has joined #openstack-fwaas | 11:16 | |
| *** yamamoto has joined #openstack-fwaas | 11:26 | |
| *** yamamoto has quit IRC | 11:32 | |
| *** yamamoto has joined #openstack-fwaas | 11:41 | |
| *** yamamoto_ has joined #openstack-fwaas | 11:42 | |
| *** yamamoto has quit IRC | 11:46 | |
| *** yamamoto_ has quit IRC | 11:56 | |
| *** vks1 has quit IRC | 11:56 | |
| *** yamamoto has joined #openstack-fwaas | 12:19 | |
| *** yamamoto has quit IRC | 12:54 | |
| xgerman_ | yeah, we need to get SG work with FWG — but not necessarily for Q-1 | 12:55 |
| *** vks1 has joined #openstack-fwaas | 13:35 | |
| xgerman_ | yushiro, reedip, ivasilevskaya: I need to do somethign meaningful with https://review.openstack.org/#/c/512432/2/deliverables/queens/neutron-fwaas.yaml | 13:53 |
| *** yamamoto has joined #openstack-fwaas | 13:55 | |
| xgerman_ | I also ran across a patch which involved privsep on the LBaaS side: https://review.openstack.org/#/c/512199/ | 13:55 |
| *** yamamoto has quit IRC | 14:05 | |
| *** reedip_ has joined #openstack-fwaas | 14:32 | |
| *** yamamoto has joined #openstack-fwaas | 14:47 | |
| *** yamamoto has quit IRC | 14:47 | |
| reedip_ | o/ | 14:52 |
| xgerman_ | reedip_ how are we looking? Can we merge more stuff for Q-1 or are we done with the cycle? | 15:18 |
| reedip_ | honestly, I need to look once more ... I am stuck on a deployment issue related to Cinder and iSCSI :( . Can you give me an hour ? | 15:19 |
| *** AlexeyAbashkin has quit IRC | 15:30 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 15:30 | |
| xgerman_ | sure, we have time | 15:35 |
| *** AlexeyAbashkin has quit IRC | 15:41 | |
| *** yamamoto has joined #openstack-fwaas | 15:48 | |
| *** yamamoto has quit IRC | 15:55 | |
| *** vks1 has quit IRC | 17:00 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 17:22 | |
| *** AlexeyAbashkin has quit IRC | 17:24 | |
| reedip_ | xgerman_ I reviewed and adding my comments to the ones which were targetted for Q-1 ... | 17:40 |
| reedip_ | sorry for being a bit late for the party | 17:40 |
| xgerman_ | thanks — | 17:41 |
| *** reedip_ has quit IRC | 17:53 | |
| *** openstackgerrit has joined #openstack-fwaas | 18:30 | |
| openstackgerrit | Inessa Vasilevskaya proposed openstack/neutron-fwaas master: FWaaS v2 extension for L2 agent https://review.openstack.org/323971 | 18:30 |
| openstackgerrit | Inessa Vasilevskaya proposed openstack/neutron-fwaas master: OVS based l2 Firewall driver for FWaaS v2 https://review.openstack.org/447251 | 18:30 |
| ivasilevskaya | oh my I think I figured out 1 bug that caused plenty of flows not being generated at all with ovs driver | 18:34 |
| ivasilevskaya | there is still no connectivity but at least now we have flows with proper nw_src in table 61 and packets get up to table 63 | 18:36 |
| ivasilevskaya | I'll call it a day for tonight. If I have time - I'll continue debugging fun tomorrow. | 18:38 |
| ivasilevskaya | annp: I updated table numbers, 61-63 and 66-67. Decided that it's better to evenly divide interval (60,70) for egress\ingress than to have them go one by one | 18:38 |
| *** ivasilevskaya has quit IRC | 18:40 | |
| *** vishwanathj has joined #openstack-fwaas | 18:41 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 19:40 | |
| *** AlexeyAbashkin has quit IRC | 19:44 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 20:22 | |
| *** AlexeyAbashkin has quit IRC | 20:27 | |
| *** ivasilevskaya has joined #openstack-fwaas | 21:19 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!