| mlavalle | yushiro: Great. I'll be very glad to see you there | 00:00 |
|---|---|---|
| yushiro | mlavalle, Regarding reedip's RFE, I think it's reasonable. I'll also comment in this RFE and will discuss our plan in Rocky at PTG. | 00:01 |
| yushiro | ;) | 00:01 |
| mlavalle | yushiro: great, thanks! | 00:01 |
| SridarK | yushiro: will do | 00:05 |
| SridarK | mlavalle: quick q | 00:05 |
| mlavalle | sure | 00:06 |
| SridarK | mlavalle: we will possibly have 2 patches that we are converging on to get merged for Queens | 00:06 |
| SridarK | mlavalle: are we allowed to +A when they are ready or should we wait on ur recommendations | 00:06 |
| SridarK | mlavalle: they require a bit more tweaking - we had a long discussion today so when the submitter (annp) is online we can get things moving | 00:08 |
| mlavalle | SridarK: send an email today to the ML requesting a FFE for those two patches (with the reason for the exception). I will bring it up tomorrow morning during the drivers meeting | 00:08 |
| mlavalle | does that work? | 00:08 |
| SridarK | mlavalle: they are bugfixes | 00:08 |
| SridarK | issues found in testing | 00:08 |
| SridarK | mlavalle: since they are bug fixes do they need an FFE | 00:09 |
| mlavalle | we froze everything | 00:09 |
| SridarK | mlavalle: ah ok | 00:10 |
| mlavalle | SridarK: hang on | 00:10 |
| SridarK | so we have a RC | 00:10 |
| SridarK | mlavalle: no prob | 00:10 |
| SridarK | yushiro: lets discuss more on the patches from annp - i tried to summarize in email | 00:11 |
| mlavalle | we are tracking everything for RC1 here: https://launchpad.net/neutron/+milestone/queens-rc1 | 00:11 |
| mlavalle | SridarK: ^^^^ | 00:11 |
| SridarK | mlavalle: ok | 00:11 |
| yushiro | SridarK, Sure. I'm testing now :) | 00:11 |
| mlavalle | so to honor the process, send an email to the ML requesting the inclusion of those two bugs in the RC | 00:12 |
| mlavalle | it is not as you say, a FFE. Just a request for those two bug fixes to be included in the RC | 00:12 |
| SridarK | mlavalle: got it - i will work with the contributor and we will get those covered | 00:12 |
| SridarK | mlavalle: perfect many thanks | 00:12 |
| yushiro | thanks | 00:13 |
| mlavalle | SridarK: thank you! | 00:13 |
| SridarK | mlavalle: and i will look at dscp fwaas | 00:13 |
| SridarK | and add some notes there | 00:13 |
| mlavalle | :-) | 00:13 |
| SridarK | mlavalle: i am sure must be going crazy with the last minute release things | 00:14 |
| SridarK | mlavalle: so remember to breathe :-) | 00:14 |
| mlavalle | it always is. it comes with the territory | 00:14 |
| mlavalle | actually in 20 minutes I heading to my Yoga class | 00:14 |
| SridarK | mlavalle: imagines he is floating down on his glider | 00:15 |
| SridarK | mlavalle: ah there u go - perfect and i hope u will not be on IRC on ur phone while doing a headstand :-) | 00:15 |
| mlavalle | oh no, I leave the cell phone in the locker | 00:16 |
| SridarK | :-) | 00:16 |
| mlavalle | I completely let go for that hour | 00:16 |
| SridarK | oh yes | 00:16 |
| SridarK | So we will have an email out and btwn xgerman_ yushiro and myself we will support it | 00:17 |
| SridarK | for inclusion | 00:17 |
| SridarK | many thx mlavalle | 00:17 |
| mlavalle | Thanks | 00:17 |
| SridarK | yushiro: are u okay with the approach to remove the configurable option for DFWG association | 00:18 |
| SridarK | it seems it can cause some confusion | 00:18 |
| yushiro | SridarK, Yes, I just remembered some member wanted not to use default fwg. I think it's better to shift more securely one. | 00:19 |
| SridarK | yushiro: so we can remove that option for now | 00:20 |
| SridarK | so we will not hit conntrack issues as we discussed | 00:20 |
| yushiro | SridarK, OK, that's great. So, we don't have to prevent from combination 'iptables_hybrid'(SG) + 'ovs'(FWG), right? | 00:21 |
| SridarK | yushiro: i think we still need that | 00:22 |
| SridarK | chandan's patch in neutron merged | 00:22 |
| yushiro | yes. | 00:22 |
| SridarK | but i think we still need more testing to be sure we will not have any interoperability issues with SG (iptables hybrid) and FWaaS L2 (ovs) | 00:22 |
| SridarK | so i think we can have that validation to prevent this combination for Queens | 00:23 |
| yushiro | SridarK, Aha, right. we're missing more testing. | 00:23 |
| SridarK | once we test more - we can remove this in R | 00:23 |
| SridarK | yushiro: yes better to be safe | 00:23 |
| yushiro | SridarK, I'm watching your e-mail now :) OK, I totally understood. | 00:23 |
| SridarK | ah thank u :-) | 00:24 |
| SridarK | so this validation will be https://review.openstack.org/#/c/536234/ | 00:24 |
| SridarK | yushiro: i think u still had some concerns - i think once they are addressed we can merge that | 00:25 |
| yushiro | SridarK, Sure. My comment is not so important just minor grammar. I'll talk with annp if he start working ASAP. | 00:27 |
| SridarK | yushiro: ok perfect | 00:27 |
| SridarK | may be we can connect a bit later today on IRC as well and all discuss and finalize | 00:28 |
| yushiro | SridarK, BTW, do we need another patch to remove auto_associate_default_firewall_group ? I think it's also OK to remove this parameter at https://review.openstack.org/#/c/539461/5 | 00:28 |
| yushiro | Yes. | 00:28 |
| yushiro | I'll keep log-in today. | 00:28 |
| SridarK | yushiro: i also think we can do it in this PS itself | 00:28 |
| SridarK | no need for another one | 00:28 |
| SridarK | I will add some comments on gerrit also | 00:29 |
| SridarK | yushiro: i am around - except when i drive back home it will take me an hour or so | 00:29 |
| yushiro | SridarK, Thank you. OK, please take care :) | 00:29 |
| yushiro | SridarK, I'll also comment on gerrit to put reno about that. | 00:29 |
| SridarK | i think if we can connect in 3 hrs or so - chandan will also be online - i think he was testing some too | 00:30 |
| yushiro | sure | 00:30 |
| *** mlavalle has quit IRC | 00:42 | |
| *** openstackgerrit has joined #openstack-fwaas | 01:24 | |
| openstackgerrit | Cao Xuan Hoang proposed openstack/neutron-fwaas master: Fix devstack configuration for fwaas v2 https://review.openstack.org/527040 | 01:24 |
| *** SridarK has quit IRC | 01:39 | |
| *** annp has joined #openstack-fwaas | 02:26 | |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Fix auto associate default fwg https://review.openstack.org/539461 | 02:40 |
| *** chandanc has joined #openstack-fwaas | 02:47 | |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Fix auto associate default fwg https://review.openstack.org/539461 | 03:02 |
| yushiro | chandanc, Hi. I just updated auto association patch. | 03:02 |
| yushiro | chandanc, I removed auto_associate_default_firewall_group parameter as teams discussed last meeting. Could you review it? | 03:03 |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Remove disable option for default FWG and ensure it is only applied on VM ports https://review.openstack.org/539461 | 03:30 |
| *** SridarK has joined #openstack-fwaas | 03:37 | |
| *** yamamoto has joined #openstack-fwaas | 03:37 | |
| SridarK | yushiro: ah ok i see u have made the updates | 03:39 |
| SridarK | annp: ping | 03:39 |
| yushiro | SridarK, Yup. and now annp are working another patch | 03:40 |
| SridarK | ok thx | 03:40 |
| SridarK | so we have 2 patches that we need to get in | 03:41 |
| yushiro | I just hurried so forgot updating something. Next patch I'll add reno about removing auto-associate parameter. | 03:41 |
| SridarK | thx for addressing my comments | 03:41 |
| SridarK | yes reno is missing | 03:41 |
| yushiro | SridarK, NP. it was very helpful for me. | 03:41 |
| SridarK | yushiro: when do u head for lunch ? | 03:43 |
| yushiro | SridarK, I'm 12:00 to 13:00. I'm just eating with bread and tea :) | 03:44 |
| SridarK | yushiro: oh i am so sorry - :-) | 03:44 |
| yushiro | SridarK, No-no. That is my usual lunch time :p | 03:45 |
| SridarK | once the patches are ready - lets do a quick check to make sure things are good and we can ask for it to be added | 03:45 |
| SridarK | yushiro: i meant u are eating a very simple lunch with bread :-) | 03:46 |
| yushiro | SridarK, aha, yeah. I usually like to eat sweet bread or rice bowl for lunch. | 03:47 |
| yushiro | SridarK, I'll update reno for draft version. Could you check my grammar or suitable topic? (deprecations, critical, security, fixes, other, etc...) | 03:48 |
| SridarK | yushiro: yes one thing on the title | 03:48 |
| SridarK | i think what i suggested hope it did not go beyond 65 columns | 03:49 |
| yushiro | Yes, maybe openstack is 50 characters for title and 72 characters for description. | 03:49 |
| SridarK | oh it is definitely more than 65 | 03:51 |
| SridarK | i thought it was 65 for title | 03:51 |
| SridarK | sorry i should have checked that | 03:51 |
| SridarK | Remove disable option for default FWG and allow only on VM ports | 03:54 |
| SridarK | that is 64 characters | 03:55 |
| yushiro | SridarK, Ok, Thanks | 03:55 |
| chandanc | yushiro: sure let me check the patch | 03:58 |
| yushiro | chandanc, Thank you so much. However, I'll update it now. Just a second.. | 03:59 |
| chandanc | sure | 03:59 |
| SridarK | yushiro: one minor nit | 04:05 |
| SridarK | can u pls check that b4 u push patch | 04:05 |
| SridarK | not so imp very minor - | 04:06 |
| SridarK | chandanc: hi thx for the check | 04:06 |
| yushiro | OK | 04:06 |
| chandanc | SridarK: no pb | 04:07 |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Remove disable option for default FWG and allow only on VM ports https://review.openstack.org/539461 | 04:08 |
| yushiro | SridarK, thanks for your comment. | 04:09 |
| yushiro | I just reflected at the latest patch.. | 04:09 |
| yushiro | chandanc, Sorry for late :p | 04:09 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS V2 https://review.openstack.org/536234 | 04:15 |
| annp | SridarK, chandanc, yushiro: hi | 04:15 |
| yushiro | I'm not sure but in my local environment, it didn't work "tox -e releasenotes" | 04:17 |
| yushiro | annp, hi | 04:17 |
| chandanc | hello annp | 04:17 |
| annp | I've just updated https://review.openstack.org/536234, So could you have a look at it? | 04:18 |
| chandanc | annp: will do | 04:19 |
| annp | chandanc, thanks. | 04:19 |
| chandanc | yushiro: nit change in reno, else looks good | 04:20 |
| SridarK | annp: hi | 04:20 |
| chandanc | i have a question though | 04:20 |
| annp | SridarK, hi | 04:20 |
| SridarK | annp: looking | 04:20 |
| chandanc | are we not doing validation for l2 ports in general before adding to FWG ? am i missing something ? | 04:21 |
| chandanc | i mean the same validation for compute only ports applies to all FWG right ? | 04:22 |
| chandanc | yushiro: SridarK any idea ? | 04:23 |
| annp | chandanc, we only validate vm ports, which are intended to be added to a fwg | 04:25 |
| chandanc | so the validation in the event handler is in addition to already existing validation ? | 04:26 |
| annp | chandanc, yes. | 04:27 |
| chandanc | can you point me to the code | 04:28 |
| annp | https://review.openstack.org/#/c/536234/10/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@329, right? | 04:28 |
| chandanc | no no, i mean this https://review.openstack.org/#/c/539461/9/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@295 should be applicable to all FWG | 04:32 |
| chandanc | is this the case | 04:32 |
| chandanc | brb | 04:33 |
| yushiro | chandanc, Yes, @295 can validate specified port is 'VM port' | 04:37 |
| yushiro | chandanc, So, I'd like to prepare utility method like is_vm_port() in the future. | 04:37 |
| yushiro | chandanc, Thanks for your review! | 04:38 |
| SridarK | sorry guys - i am getting a request for inclusion ready | 04:39 |
| SridarK | annp: on https://review.openstack.org/#/c/536234/ | 04:39 |
| SridarK | we will need a bug id | 04:39 |
| SridarK | do u have one that u can add | 04:40 |
| yushiro | SridarK, https://bugs.launchpad.net/neutron/+bug/1746855 | 04:40 |
| openstack | Launchpad bug 1746855 in neutron "FWaaS V2 doesn't support Linuxbridge" [Undecided,Confirmed] | 04:40 |
| SridarK | ah ok | 04:40 |
| yushiro | Annp has already filed but need to fix bug title I think. | 04:40 |
| SridarK | annp: can u pls update the Patch | 04:40 |
| annp | yushiro, thanks. | 04:40 |
| SridarK | yes i think we need a better title | 04:41 |
| chandanc | yushiro: what happens if some one tries to add DHCP/Router ports to a user defined FWG today ? | 04:41 |
| annp | SridarK, I've already added bug-id at Close-Bug: # in commit message | 04:42 |
| SridarK | annp | 04:42 |
| yushiro | chandanc, currently, handle_port_create_event() tries to associate DHCP/router port with default firewall group and got an error | 04:42 |
| SridarK | annp: sorry my bad had to scroll down | 04:43 |
| SridarK | sorry | 04:43 |
| chandanc | yushiro: yes correct, but this validation is part of event handler | 04:43 |
| yushiro | chandanc, yes sure. | 04:43 |
| annp | chandanc, we only validate in case of newly vm port | 04:44 |
| chandanc | yes | 04:44 |
| annp | So you can add DHCP/router port with defined fwg. | 04:44 |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Remove disable option for default FWG and allow only on VM ports https://review.openstack.org/539461 | 04:45 |
| yushiro | Just reflected chandanc 's comment. | 04:45 |
| annp | I mean i need to ignore if port is router or DHCP in my patch. | 04:45 |
| annp | SridarK: no worries. | 04:46 |
| SridarK | FWaaS v2 failures with SG using linuxbridge or iptables_hybrid driver | 04:46 |
| SridarK | annp: ^^^ does that title seem reasonable for the bug | 04:47 |
| SridarK | annp: also pls assign the bug to urself | 04:47 |
| annp | SridarK, How about FWaaS V2 failures with Ml2 is Linuxbridge or security group driver is iptables_hybrid? | 04:49 |
| SridarK | annp: yes thats fine too | 04:49 |
| annp | SridarK: Done. | 04:54 |
| SridarK | annp: thx | 04:54 |
| SridarK | i putting together some notes | 04:54 |
| SridarK | on the bugs - i will send tht to u - can u pls check that and req inclusion of these bugs for RC | 04:54 |
| SridarK | then we can support it | 04:55 |
| yushiro | chandanc, do you have any improvement idea ? | 04:57 |
| chandanc | yushiro: can you move the validation here https://review.openstack.org/#/c/539461/9/neutron_fwaas/db/firewall/v2/firewall_db_v2.py@818 | 04:58 |
| chandanc | and raise a exception | 04:58 |
| chandanc | i mean the validation https://review.openstack.org/#/c/539461/9/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@295 | 04:59 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS V2 https://review.openstack.org/536234 | 04:59 |
| annp | SridarK, yushiro, chandanc: I have to go lunch, See you later. | 05:01 |
| SridarK | annp: 1 min | 05:01 |
| SridarK | annp: i am going to send u an email with notes - pls review that after u are back from lunch | 05:02 |
| annp | Sridark: OK | 05:02 |
| annp | SridarK, Sure. | 05:02 |
| SridarK | and u will need to send out a request | 05:02 |
| SridarK | many thx | 05:02 |
| annp | Send email to you or Miguel? | 05:03 |
| yushiro | chandanc, I wanted to avoid to edit common method like _set_ports_for_firewall_group(). Ah, you'd like to avoid unnecessary DB access, right? | 05:03 |
| SridarK | annp: u will need to send it to the list | 05:04 |
| SridarK | annp: no worries finish ur lunch | 05:04 |
| yushiro | chandanc, If so, that makes sense. | 05:04 |
| chandanc | yushiro: sure i just want to make sure we have the same validation ofr all FWG | 05:04 |
| chandanc | for* | 05:04 |
| annp | SridarK, Thanks. See you guys later.:) | 05:05 |
| chandanc | if you have any other common point to have this check, that will work too | 05:05 |
| chandanc | yushiro: i think annp added this in his patch | 05:07 |
| chandanc | https://review.openstack.org/#/c/536234/10..11/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@251 | 05:07 |
| chandanc | but too many not condition, i am trying to understand :) | 05:08 |
| yushiro | haha, yes | 05:08 |
| yushiro | hmm, it should be refactored | 05:09 |
| chandanc | ya, i am getting lost | 05:10 |
| yushiro | we should pass 'router:interface' and 'compute:foo' . In addition, we should prevent unsupported condition. | 05:10 |
| yushiro | I think it can be written more simply | 05:10 |
| chandanc | sure | 05:11 |
| chandanc | and if you do, we can then remove that validation from the other patch | 05:11 |
| chandanc | right ? | 05:11 |
| chandanc | just to keep all validation in one place and apply them to both default and user defined FWGs | 05:12 |
| SridarK | chandanc: makes sense - but lets also minimze churn in the patches | 05:12 |
| SridarK | from a testing perspective | 05:13 |
| SridarK | i sent u all an email - can u pls review - so annp can send out a request for including patches | 05:13 |
| chandanc | SridarK: sure, i would like to keep things small at this time | 05:13 |
| yushiro | chandanc, Yes, I think so. But I'm afraid of it because current situation | 05:13 |
| chandanc | ya agree | 05:14 |
| yushiro | How about refactoring after releasing with us :) | 05:14 |
| SridarK | ok yes | 05:14 |
| chandanc | sure | 05:14 |
| yushiro | Thanks chandanc | 05:14 |
| yushiro | So, I've just reflected from your comments now. | 05:14 |
| yushiro | However, please review it again. | 05:15 |
| chandanc | ok sure | 05:15 |
| SridarK | Also before i forget - lets all try to be on the drivers meeting | 05:17 |
| SridarK | Fri 14:00 UTC | 05:17 |
| SridarK | http://eavesdrop.openstack.org/#Neutron_drivers_Meeting | 05:17 |
| yushiro | Hmm, raise Exception(_("Doesn't support this port %s"), port_id) I think it's necessary to define an exception | 05:18 |
| yushiro | SridarK, Ok, thanks | 05:18 |
| chandanc | yushiro: the reno needs change, putting comment | 05:18 |
| SridarK | i will be back in few mins - get some dinner | 05:18 |
| yushiro | chandanc, OK, thanks | 05:19 |
| yushiro | chandanc, Oh, is this not necessary? OK | 05:20 |
| chandanc | i mean the remove the highlighted | 05:20 |
| chandanc | so that the sentence will become like the one in “””…”” | 05:20 |
| yushiro | chandanc, you mean, remove 'fixes' section ? | 05:20 |
| chandanc | ya the highlighted part | 05:21 |
| yushiro | sure. I see that 'prelude' is enough. | 05:21 |
| openstackgerrit | Yushiro FURUKAWA proposed openstack/neutron-fwaas master: Remove disable option for default FWG and allow only on VM ports https://review.openstack.org/539461 | 05:22 |
| yushiro | chan Done :) | 05:22 |
| yushiro | Could you review it, please ? | 05:22 |
| openstackgerrit | chandanc proposed openstack/neutron-fwaas master: Remove disable option for default FWG and allow only on VM ports https://review.openstack.org/539461 | 05:47 |
| chandanc | Sorry yushiro i think i confused you more | 05:47 |
| chandanc | fixed the reno | 05:47 |
| chandanc | sorry for all the confusion | 05:47 |
| yushiro | OK, lemme check. | 05:48 |
| yushiro | Ah! | 05:48 |
| chandanc | sorry :( i was not very clear | 05:49 |
| yushiro | I see! No-no. It's my poor reading skill ;p | 05:49 |
| chandanc | i will run some tests | 05:49 |
| chandanc | lets move on :) | 05:49 |
| yushiro | Ya | 05:49 |
| chandanc | will update results | 05:49 |
| SridarK | sounds good if there is another update, tweak the reno a bit: super nit: 'check an updated port ...' -> 'check if an updated port' | 05:54 |
| SridarK | this is a super nit so i am not putting it on gerrit | 05:54 |
| SridarK | i would rather see a zuul vote :-) | 05:54 |
| SridarK | Now i had one confusion | 05:54 |
| SridarK | If we had an update where some one remove a user define FWG, then we need to apply the default FWG on that port | 05:55 |
| SridarK | chandanc: yushiro: can u pls review the email i sent u all | 05:57 |
| yushiro | SridarK, Sure. | 05:59 |
| annp | SridarK: Your mail look good to me. | 05:59 |
| SridarK | annp: ok u are back | 06:00 |
| SridarK | chandanc: do u have any comments too | 06:00 |
| annp | SridarK, hi :) | 06:00 |
| SridarK | so annp can u pls reformat or update and send that openstack-dev | 06:00 |
| SridarK | with the subject line as indicated | 06:01 |
| yushiro | SridarK, readin your e-mail | 06:01 |
| annp | SridarK, Sure. I'll do | 06:01 |
| SridarK | Miguel would like to follow the process | 06:01 |
| SridarK | annp: thx | 06:01 |
| yushiro | OK, SridarK there is no problem. | 06:02 |
| annp | SridarK, you're welcome. :) | 06:02 |
| yushiro | SridarK, BTW, should we change priority of these bug-report? | 06:03 |
| SridarK | yushiro: hmm i think u had marked it High | 06:03 |
| SridarK | oh maybe not the other one | 06:03 |
| yushiro | SridarK, Yes, I've already marked 'High' | 06:03 |
| yushiro | I wonder 'High' or 'Critical' but it's OK 'High' . | 06:04 |
| SridarK | https://bugs.launchpad.net/neutron/+bug/1746855 is not marked High | 06:04 |
| openstack | Launchpad bug 1746855 in neutron "FWaaS V2 failures with Ml2 is Linuxbridge or security group driver is iptables_hybrid" [Undecided,Confirmed] - Assigned to Nguyen Phuong An (annp) | 06:04 |
| yushiro | OK, will put 'High' | 06:04 |
| SridarK | yushiro: are u able to update | 06:04 |
| yushiro | SridarK, Yes. | 06:04 |
| SridarK | thx - i am not able to | 06:04 |
| yushiro | Oh, really? I thought that neutron-**aas core became a neutron bug-supervisor. Anyway, I put 'High' now :) | 06:05 |
| SridarK | yushiro: i think we need to ask to get added to the list - i did not i think at that time | 06:07 |
| SridarK | I will ask Miguel to add me | 06:08 |
| SridarK | yushiro: thx | 06:08 |
| annp | yushiro, SridarK, shall I send the mail? | 06:08 |
| SridarK | annp: yes pls | 06:09 |
| yushiro | annp, Yes, plz | 06:09 |
| yushiro | Yes, I think SridarK and xgerman_ are suitable person to put a priority of fwaas bug list. | 06:10 |
| annp | Done! | 06:12 |
| SridarK | annp: thanks | 06:13 |
| annp | SridarK, thanks for your email, too :) | 06:15 |
| chandanc | sorry was away, mail looks good to me | 06:19 |
| chandanc | If we had an update where some one remove a user define FWG, then we need to apply the default FWG on that port | 06:20 |
| chandanc | yes, this is a valid case | 06:21 |
| chandanc | should be part of the work flow scenario | 06:21 |
| SridarK | annp: no worries - lets now see what happens in the drivers mtg tomorrow | 06:26 |
| SridarK | i think it should not be an issue - since we are almost ready | 06:26 |
| yushiro | annp, thanks. | 06:26 |
| yushiro | annp LOG.error("Doesn't support vif type %s", port.binding.vif_type) | 06:29 |
| yushiro | That is bug | 06:29 |
| annp | yushiro, How about LOG.debug()? | 06:30 |
| yushiro | annp, no-no. I mean port.binding.vif_type is a bug. | 06:31 |
| yushiro | AttributeError: 'dict' object has no attribute 'binding' | 06:31 |
| annp | yushiro, yes, I'll update now. Please comment in gerrit. | 06:31 |
| yushiro | annp, raise Exception(_("Doesn't support this port %s") In addition, I think it is not good way to raise an exception.. | 06:32 |
| SridarK | yushiro: good eye :-) | 06:34 |
| annp | Yes, Can I add a new file such as exceptions.py in common folder? | 06:35 |
| yushiro | annp, In general, it's better to define at neutron-lib but we don't have chance to do it. So, | 06:36 |
| annp | yushiro, so? | 06:38 |
| *** jafeha__ is now known as jafeha | 06:39 | |
| yushiro | annp, how about defining exception class in this file temporary with TODO message like "Migrate to neutron-lib" ? | 06:39 |
| yushiro | And above error message's position was strange. | 06:39 |
| yushiro | "Doesn't support vif type" appeared when I deployed VM instance. So, when a port is 'vif_type: 'unbound', we should ignore this validation. | 06:40 |
| annp | yushiro, :) | 06:41 |
| annp | ok. I'll update | 06:42 |
| SridarK | +1 on adding here with TODO | 06:42 |
| SridarK | I will sign off soon, but if u can update via email on testing and status of patches. We can try to get them merged soon after drivers mtg. It will be day time for xgerman_ & me | 06:43 |
| SridarK | but it will be good to validate before u guys go to bed so we can get them in ASAP. | 06:44 |
| SridarK | yushiro: annp: chandanc: ^^^ | 06:44 |
| SridarK | Also pls try to attend the drivers mtg also | 06:44 |
| yushiro | SridarK, Of course :) | 06:46 |
| yushiro | annp, I think we should ignore 'unbound' port. | 06:52 |
| yushiro | annp, _is_port_supported_by_l2_driver calls get_port(), but handle_update_port() has already port object. I think it is redundancy. | 06:53 |
| yushiro | At _validate_ports_for_firewall_group(), it is also having port object. | 06:54 |
| yushiro | So, it's enough to send port object as an argument of _is_port_supported_by_l2_driver. | 06:54 |
| annp | yushiro, As I comment in code: I'd like to re-fecth to get update-to-date data | 06:56 |
| annp | s/re-fecth/re-fetch | 06:57 |
| yushiro | annp, hmm, I don't know this effect. | 06:59 |
| yushiro | I can understand there is differ from agent-side and server-side. | 07:00 |
| annp | Because from we we receive update event, port db may be change for updating process. | 07:00 |
| yushiro | ah, OK. | 07:01 |
| yushiro | I just commented. | 07:01 |
| annp | So I'd like to get up-to-date data. | 07:01 |
| yushiro | Please ignore 'unbound' case. | 07:01 |
| yushiro | annp, OK, got it. | 07:01 |
| annp | yes, we should check vif_type is unbound and binding failed first | 07:02 |
| annp | yushiro, how about change from LOG.error to LOG.debug. | 07:02 |
| yushiro | annp, And please check at once before pushing a code. | 07:02 |
| yushiro | annp, which line and why? | 07:03 |
| annp | https://review.openstack.org/#/c/536234/11/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@268 and 269 | 07:03 |
| yushiro | I think debug is no meaning at production environment | 07:04 |
| annp | ah, OK. | 07:05 |
| *** threestrands has quit IRC | 07:05 | |
| yushiro | Taking combined environment(iptables_hybrid and openvswitch) into consideration, I think WARNING is suitable. | 07:05 |
| yushiro | So, please change WARNING. | 07:06 |
| *** AlexeyAbashkin has joined #openstack-fwaas | 07:18 | |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS V2 https://review.openstack.org/536234 | 07:36 |
| annp | yushiro, chandanc, I've just updated https://review.openstack.org/536234. Could you please have a look at it? | 07:38 |
| *** AlexeyAbashkin has quit IRC | 07:47 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 07:55 | |
| *** SridarK has quit IRC | 08:13 | |
| yushiro | annp, Just commented. | 08:17 |
| yushiro | did you test in your local env? | 08:18 |
| annp | yushiro, Just second, I will put new patch. I've tested in my local env. | 08:19 |
| yushiro | OK. If possible, please reflect my comment. | 08:20 |
| annp | I realize in case of sg=iptables_hybrid we show duplicate log | 08:20 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS V2 https://review.openstack.org/536234 | 08:21 |
| annp | Yushiro: Please check latest patch. I've addressed your comment. | 08:22 |
| annp | oh, sorry. You've just posted comments. :( | 08:22 |
| yushiro | Please fix exception class name | 08:22 |
| yushiro | Yes. | 08:22 |
| annp | give me a minute | 08:22 |
| yushiro | annp, did you test this latest patch in your env? | 08:23 |
| annp | yes, I've tested. | 08:26 |
| annp | It worked in my env | 08:26 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS V2 https://review.openstack.org/536234 | 08:28 |
| annp | yushiro, please help me to test in your env | 08:30 |
| yushiro | ok | 08:30 |
| annp | yushiro, thanks | 08:37 |
| yushiro | (openstack) firewall group create --name fwg --port vm1 | 08:54 |
| yushiro | Port bf143d12-0d53-4e76-89ca-f1a9c1f7a792 is not supported by firewall L2 driver | 08:54 |
| yushiro | Missing period!! "." | 08:54 |
| annp | thanks. I will update. Anything else? | 08:56 |
| yushiro | For user perspective, how should user do for reading this error message? Hmm, | 08:56 |
| yushiro | A normal user doesn't need to know what backend driver is. | 08:58 |
| yushiro | I think it's better to realize "This port(on this host) cannot use". | 08:59 |
| annp | How about "Port xxx is not supported by firewall group at the moment"? | 09:00 |
| yushiro | In addition, a normal user cannot refer binding information except vnic_type. | 09:01 |
| annp | yes, we doesn't show binding information to normal user | 09:02 |
| yushiro | at that moment, is a little ambiguous.. | 09:02 |
| yushiro | Is it better to realize the ports on this host(device_owner) cannot use. | 09:03 |
| yushiro | ? | 09:03 |
| yushiro | A user tried to a port belongs another host. | 09:03 |
| annp | device_owner is compute:nova | 09:03 |
| annp | I think no more information for normal user. | 09:04 |
| yushiro | It is included availability zone in Nova. | 09:04 |
| chandanc | i think you can put a generic mesg | 09:04 |
| yushiro | ah... | 09:04 |
| yushiro | not supported is enough? | 09:04 |
| chandanc | just say “This may happen due to Non VM ports or incompatible driver combination” | 09:05 |
| yushiro | +100 chandanc | 09:05 |
| yushiro | imcompatible is good | 09:05 |
| chandanc | then he must contact admin | 09:05 |
| chandanc | ya, thats all we can help for. :) | 09:05 |
| yushiro | I think it's better | 09:05 |
| yushiro | thought? annp | 09:05 |
| annp | chandanc, thanks. | 09:05 |
| annp | yushiro: I agree | 09:06 |
| chandanc | sure, i did a little test, ports are getting correctly associated | 09:06 |
| chandanc | so i am mostly +1 for this patch | 09:06 |
| chandanc | yushiro: annp if you have other updated, let me know | 09:08 |
| yushiro | firewall_driver=openvswitch and firewall_l2_driver=ovs, sometimes shows following error: | 09:08 |
| yushiro | Port 7a4863f1-cdb2-4e5e-ba20-9eb02d8eb823 is not managed by this agent..: OVSFWPortNotFound: Port 7a4863f1-cdb2-4e5e-ba20-9eb02d8eb823 is not managed by this agent. | 09:08 |
| yushiro | Is it related? I think it is from ovs-agent. | 09:08 |
| chandanc | is that a vm port ? | 09:08 |
| annp | yushiro, it's not related our patch, now | 09:08 |
| yushiro | chandanc, YEs. and after remove this port, this error displayed. | 09:09 |
| annp | yushiro, sometime I saw the message in ovsfw also | 09:09 |
| chandanc | oh | 09:09 |
| chandanc | let me check | 09:09 |
| annp | chandanc, yushiro, do we need to insert port id into error message? | 09:14 |
| yushiro | annp, +1 it's better. | 09:15 |
| yushiro | for trouble shooting perspective. | 09:15 |
| chandanc | agree, “Port id … could not be added to firewall group” then the generic msg | 09:15 |
| chandanc | should be enough | 09:16 |
| yushiro | current format is Port bf143d12-0d53-4e76-89ca-f1a9c1f7a792 is not supported by firewall L2 driver | 09:17 |
| yushiro | So, Port %(port_id)s is necessary and added generic one which chandanc said. | 09:17 |
| chandanc | ya yushiro : you mesg is better | 09:18 |
| chandanc | your* | 09:18 |
| chandanc | “Port bf143d12-0d53-4e76-89ca-f1a9c1f7a792 is not supported by firewall L2 driver” | 09:18 |
| chandanc | “This may happen due to Non VM ports or incompatible driver combination” | 09:19 |
| yushiro | aha, +1 | 09:19 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS V2 https://review.openstack.org/536234 | 09:23 |
| annp | yushiro, chandanc, Done. | 09:24 |
| yushiro | annp, thanks | 09:24 |
| annp | yushiro, you're welcome. :) | 09:25 |
| yushiro | annp, In this timing, is there posibility a specified port is non VM? | 09:26 |
| yushiro | annp, non VM port is guarded in early validation. | 09:26 |
| yushiro | annp, In addition, "Non" is similar to 'Mon'. So, I saw Monday. How about 'This may happen due to incompatible driver combination.' ? | 09:27 |
| annp | yushiro, you're concern correct. | 09:27 |
| yushiro | chandanc, Anything comment? | 09:28 |
| annp | yushiro: +1 | 09:28 |
| yushiro | let's decide message here. After that, plz update your patch. | 09:29 |
| yushiro | nit: commit message | 09:29 |
| yushiro | s/vm/VM | 09:29 |
| yushiro | s/ovs/OVS | 09:29 |
| annp | How about "Port %(port_id)s is not supported by firewall L2 driver. This may happen due to incompatible driver combination." | 09:30 |
| yushiro | annp, message is good. But I think it is not 409(CONFLICT) but 500(INTERNAL ERROR) | 09:32 |
| yushiro | Because this is infra error | 09:32 |
| yushiro | Hmm, but please wait... | 09:33 |
| yushiro | If these environment is combined structure like hybrid and openvswitch | 09:33 |
| yushiro | OK, 409 is enough because users can keep on running these operation except the port. | 09:34 |
| yushiro | I'm OK this error message. | 09:36 |
| yushiro | let's hear about chandanc 's opinion. | 09:36 |
| annp | yushiro, thanks. | 09:36 |
| annp | chandanc, How about you? | 09:36 |
| yushiro | annp, Unfortunately, I'm difficult to attend today's driver meeting. | 09:38 |
| yushiro | So, would it be possible to join driver's meeting? | 09:38 |
| annp | yushiro, yes, I'll join the meeting. | 09:39 |
| annp | so no worries | 09:39 |
| yushiro | annp, thanks | 09:39 |
| annp | maybe chandanc not around here. Shall we put the patch? | 09:40 |
| annp | yushiro, Jakub ask them on https://bugs.launchpad.net/bugs/1746855 | 09:42 |
| openstack | Launchpad bug 1746855 in neutron "FWaaS V2 failures with Ml2 is Linuxbridge or security group driver is iptables_hybrid" [High,In progress] - Assigned to Nguyen Phuong An (annp) | 09:42 |
| annp | yushiro, can you answer him? | 09:42 |
| yushiro | Yes, will do it. | 09:43 |
| annp | yushiro, thanks! | 09:43 |
| yushiro | done | 09:44 |
| annp | yushiro, thanks! | 09:45 |
| yushiro | in neutron channel, I've talked jakub about 2 bugs for RC candidate | 09:48 |
| yushiro | and you will join today's meeting. | 09:48 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Validating if a port is supported by FWaaS L2 driver https://review.openstack.org/536234 | 09:49 |
| annp | yushiro, yes. I saw that in neutron channel? Will SridarK and chandanc join today's meeting? | 09:51 |
| yushiro | Maybe | 09:54 |
| yushiro | sorry, I have to leave my office now. will check on my phone | 09:55 |
| yushiro | bye | 09:55 |
| yushiro | Many thanks Sridar, chandanc and annp. | 09:55 |
| yushiro | exit | 09:55 |
| *** yushiro has quit IRC | 09:55 | |
| annp | yushiro, see you! | 09:56 |
| *** hoangcx has quit IRC | 10:03 | |
| *** annp has quit IRC | 10:03 | |
| *** AlexeyAbashkin has quit IRC | 10:14 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 10:14 | |
| *** AlexeyAbashkin has quit IRC | 10:23 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 10:23 | |
| *** chandanc has quit IRC | 11:10 | |
| *** reedip has joined #openstack-fwaas | 12:22 | |
| *** chandanc has joined #openstack-fwaas | 12:23 | |
| *** chandanc has quit IRC | 12:56 | |
| *** chandanc has joined #openstack-fwaas | 13:15 | |
| *** chandanc has quit IRC | 13:23 | |
| *** chandanc has joined #openstack-fwaas | 13:25 | |
| *** chandanc has quit IRC | 13:33 | |
| *** annp has joined #openstack-fwaas | 14:00 | |
| *** SridarK has joined #openstack-fwaas | 14:06 | |
| *** chandanc has joined #openstack-fwaas | 14:08 | |
| SridarK | annp: chandanc: I am just up - sync up on how the patches are looking during my night time | 14:15 |
| annp | SridarK: I think both of the patch look good. I've tested in my env. It worked. | 14:21 |
| SridarK | annp: ok good - i am just catching up on email | 14:21 |
| annp | Regarding chandanc's concern I think we should Do that in other patch. | 14:22 |
| *** chandanc has quit IRC | 14:22 | |
| *** chandanc has joined #openstack-fwaas | 14:23 | |
| SridarK | annp: ok - let me also go thru | 14:23 |
| annp | SridarK, yes. :) maybe there is some issue. But fwaas v2 api are good shape now :) | 14:25 |
| annp | chandanc, regarding your concern, would you like to put it in RC1 or we can back port later? | 14:27 |
| annp | chandanc, I think it's better to back port later | 14:28 |
| *** chandanc has quit IRC | 14:30 | |
| *** chandanc has joined #openstack-fwaas | 14:34 | |
| annp | SridarK, chandanc, I have to go out and will catch the discussion on irc log. | 14:36 |
| SridarK | annp: ok | 14:37 |
| annp | see you later | 14:37 |
| SridarK | annp: thx talk ltr | 14:37 |
| *** annp has quit IRC | 14:37 | |
| xgerman_ | o/ | 15:01 |
| *** yamamoto has quit IRC | 15:18 | |
| *** SridarK has quit IRC | 15:32 | |
| *** yamamoto has joined #openstack-fwaas | 15:46 | |
| *** chandanc has quit IRC | 15:49 | |
| *** chandanc has joined #openstack-fwaas | 15:51 | |
| *** AlexeyAbashkin has quit IRC | 16:14 | |
| *** chandanc has quit IRC | 16:16 | |
| *** chandanc_ has joined #openstack-fwaas | 16:16 | |
| *** yamamoto has quit IRC | 16:30 | |
| *** yamamoto has joined #openstack-fwaas | 16:31 | |
| *** yamamoto has quit IRC | 16:36 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 16:56 | |
| openstackgerrit | chandanc proposed openstack/neutron-fwaas master: Remove disable option for default FWG and allow only on VM ports https://review.openstack.org/539461 | 17:10 |
| amotoki | is anyone interested in fixing neutron-fwaas-dashboard bugs? | 17:22 |
| amotoki | I will have another release at least for translations. | 17:22 |
| amotoki | fwaas v2 dashboard is half baked now and is far from matured, but I am not sure how we move this forward as a team. | 17:23 |
| *** yamamoto has joined #openstack-fwaas | 17:32 | |
| *** yamamoto has quit IRC | 17:36 | |
| *** AlexeyAbashkin has quit IRC | 17:39 | |
| *** yamamoto has joined #openstack-fwaas | 17:45 | |
| *** yamamoto has quit IRC | 17:45 | |
| *** chandanc_ has quit IRC | 17:55 | |
| *** yamamoto has joined #openstack-fwaas | 18:45 | |
| *** yamamoto has quit IRC | 18:58 | |
| *** SridarK has joined #openstack-fwaas | 19:06 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 19:11 | |
| *** AlexeyAbashkin has quit IRC | 19:58 | |
| *** AlexeyAbashkin has joined #openstack-fwaas | 20:04 | |
| *** AlexeyAbashkin has quit IRC | 20:19 | |
| *** SridarK has quit IRC | 22:29 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!