19:04:43 <tbachman> #startmeeting ovsdb_weekly
19:04:43 <odl_meetbot> Meeting started Tue Jul  7 19:04:43 2015 UTC.  The chair is tbachman. Information about MeetBot at http://ci.openstack.org/meetbot.html.
19:04:43 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:04:43 <odl_meetbot> The meeting name has been set to 'ovsdb_weekly'
19:04:48 <tbachman> #chair shague flaviof
19:04:48 <odl_meetbot> Current chairs: flaviof shague tbachman
19:04:52 <tbachman> #topic agenda
19:04:59 <tbachman> #link https://meetings.opendaylight.org/opendaylight-ovsdb/2015/osvsdb_weekly_call/opendaylight-ovsdb-osvsdb_weekly_call.2015-03-24-19.06.html Last recorded meeting minutes
19:06:07 <tbachman> #topic status
19:08:29 <tbachman> #info shague added some manual test verification tasks
19:09:00 <tbachman> #action adetalhouet to move some tasks to doing in Trello
19:09:18 <adetalhouet> #info adetalhouet
19:09:21 <tbachman> #info shague said that VTEP con-call this morning invovled trying to decide the new APIs, and how it will map into neutron
19:10:11 <tbachman> #info vishnoianil is done with coding for ARP for external gateway — looking to hook it into main for external network, then will test
19:11:18 <tbachman> flaviof: do you know if the fix for security groups for stable/kilo is going to be back-ported, or do we think we’ll just be keeping the fork?
19:12:34 <tbachman> #info adetalhouet discovered an NPE in net-virt code in master branch, for distributed ARP (enable/disable)
19:12:53 <tbachman> #info flaviof says this NPE is not in stable/lithium
19:13:26 <tbachman> #info shague asks if this is related to bug 3545
19:13:34 <tbachman> #info flaviof says the subject is the same, but the NPE is not
19:15:08 <adetalhouet> https://gist.github.com/adetalhouet/204976edfef309c06edf
19:15:31 <tbachman> #link https://gist.github.com/adetalhouet/204976edfef309c06edf capture of NPE condition
19:15:42 <tbachman> adetalhouet: thx :)
19:16:06 <adetalhouet> tbachman: np :) nice to see OVSDB's gonna have minutes now
19:16:11 <tbachman> lol
19:16:19 <tbachman> I’ve been out of touch with the community for too long! :)
19:16:24 <tbachman> finally catching up
19:16:49 <adetalhouet> thanks, those are really useful to catch up on what happened
19:17:43 <tbachman> glad to help!
19:18:13 <tbachman> #info vishnoianil points out that the properties file is in the controller, and not OVSDB — it probably doesn’t have this new property, which is causing the problem
19:18:49 <tbachman> #info flaviof says that it should be coded in a way that if the config isn’t there, it should handle it (it checks if the property is null)
19:20:35 <odp-gerritbot> Gabriel Robitaille-Montpetit proposed a change to ovsdb: Suggestion: fix isDistributedArpDisabled NPE.  https://git.opendaylight.org/gerrit/23852
19:20:39 <tbachman> #info afredette says he’s going to put a proposal together for SNAT support for sometime next week
19:21:47 <tbachman> #info vishnoianil says that clustering is the next thing on his plate after the ARP resolver
19:22:01 <tbachman> #info vishnoianil is going to work with flaviof on a tentative plan for clustering support
19:22:49 <tbachman> #info vishnoianil is looking to create a device-to-instance lock so that devices can be distributed across instances
19:23:59 <tbachman> #info shague asks if persistence and high availability is part of clustiner
19:24:24 <tbachman> #info vishnoianil says clustering enables persistence, high availability, and scalability
19:24:33 <tbachman> flaviof: do you know if the fix for security groups for stable/kilo is going to be back-ported, or do we think we’ll just be keeping the fork?
19:24:41 * tbachman beats a dead horse
19:26:35 <odp-gerritbot> Flavio Fernandes proposed a change to ovsdb: Bug 3954: NPE exception in isDistributedArpDisabled()  https://git.opendaylight.org/gerrit/23853
19:27:18 <tbachman> #link https://lists.opendaylight.org/pipermail/ovsdb-dev/2015-July/001654.html email from shague to list on support for wildcard queries of MD-SAL
19:27:37 <tbachman> #info shague says that ttkacik responded saying they’re working on adding wildcard query support to the MD-SAL
19:27:51 <tbachman> #topic Security Groups presentation
19:28:31 <tbachman> #info aswinsuryan says they were trying to look at parity with openstack for security groups
19:28:44 <tbachman> #info they broke it into fixed security rules and security group CRUD
19:29:15 <tbachman> #info Fixed Security Rules are added despite whether a security group is selected or not, and adds a predefined set of rules which aren’t customizeable
19:29:27 <tbachman> #info Security Group CRUD is customizeable
19:29:52 <tbachman> #info For Fixed Security Groups, it allows ingress DHCP traffic and same-net traffic, but drops all other ingress
19:30:21 <tbachman> #info For egress, it drops any source IP/MAC pair other than that fo the connected VM; drops any DHCP server traffic from the VM; but allows all other traffice
19:30:55 <tbachman> #info Conntrack Rules drop packets that appear related to an existing connection but do not have an entry in conntrack; allows packets associated with a known session
19:31:34 <mohnish> any web link for the slides?
19:31:53 <tbachman> mohnish: I don’t have one :(
19:31:59 <tbachman> aswinsuryan: do you have a link to the slides?
19:32:58 <tbachman> #info shague asks if the conntrack referenced in the slides is different from OVS conntrack
19:33:04 <tbachman> #info aswinsuryan  says this is from iptables
19:33:20 <tbachman> #info shague says that conntrack is a new feature that the OVS team is looking to add in a future release
19:34:00 <tbachman> #info aswinsuryan says the currently the DHCP rules are added, the rest need to be added
19:35:23 <tbachman> #info modules to work on: neutron (needs to be ported to MD-SAL); net-virt: add a listener for MD-SAL notifications; add logic to process CRUD operations in PortSecurityHandler; Uncomment the code in OF13Provider to handle SecurityGroup handling on an interface update; in Egress/IngressAclService add logic to support multiple protocols
19:36:27 <tbachman> #info shague asks if the security group work will require more nicira extensions
19:37:49 <tbachman> shague: FWIW, GBP has implemented SG support, but I can’t say that it’s totally comprehensive
19:38:55 <tbachman> #info tbachman says that GBP has implemented support for SG, but isn’t sure how comprehensive it is
19:40:07 <tbachman> #info vishnoianil asks  if security groups allow support at the connection level as well
19:40:29 <tbachman> #info flaviof says they have rules like allow HTTP or don’t allow SSH
19:40:49 <tbachman> #info flaviof says the initial implementation by networkstatic checks for initial SYN packet
19:41:55 <tbachman> #info vishnoianil asks aswinsuryan if they have an OVS setup where they can test L7 flows
19:42:08 <odp-gerritbot> A change was merged to ovsdb: Bug 3954: NPE exception in isDistributedArpDisabled()  https://git.opendaylight.org/gerrit/23853
19:42:36 * tbachman can’t type the ip-tables slide :)
19:44:55 <tbachman> #info aswinsuryan says they’re trying to map ip-tables constructs into flow-mods
19:48:15 <tbachman> #info LuisGomez says to filter using destination and source port works with openflow, but what can be done for state (e.g. TCP)?
19:49:34 <tbachman> #info LuisGomez says this is needed for things like stateful firewalls
19:51:03 <tbachman> #info vishnoianil asks if openstack tries to resolve conflicts between security group rules (e.g. allow and deny both configured)
19:51:27 <tbachman> #info aswinsuryan says he hasn’t checked that
19:52:31 <tbachman> #info flaviof says normally we defer to openstack to do the right thing
19:54:16 <tbachman> #info tbachman asks if the fix for Security Groups in stable/kilo will be backported
19:54:28 <tbachman> #info flaviof says that armando was going to look at it, but hasn’t heard back from him yet
19:54:56 <tbachman> #info flaviof says we can either neuter the callbacks, or have a commit in stable/kilo to fix this
19:55:45 * tbachman promises to stop harassing flaviof now ;)
19:55:46 <tbachman> lol
19:56:33 <tbachman> #endmeeting