[openstack-dev] [neutron] Deprecating old security groups code / RPC.

Kyle Mestery mestery at mestery.com
Thu Dec 4 14:50:18 UTC 2014


On Thu, Dec 4, 2014 at 8:40 AM, Miguel Ángel Ajo <majopela at redhat.com> wrote:
>
>
> On Thursday, 4 de December de 2014 at 15:19, Ihar Hrachyshka wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Thursday, 4 de December de 2014 at 15:06, Miguel Ángel Ajo
> wrote:
>
>
>
> During Juno, we introduced the enhanced security groups rpc
> (security_groups_info_for_devices) instead of
> (security_group_rules_for_devices), and the ipset functionality
> to offload iptable chains a bit.
>
>
> Here I propose to:
>
> 1) Remove the old security_group_info_for_devices, which was left
> to ease operators upgrade path from I to J (allowing running old
> openvswitch agents as we upgrade)
>
> Doing this we can cleanup the current iptables firewall driver a
> bit from unused code paths.
>
>
> +1.
>
>
> I suppose this would require a major RPC version bump.
>
> 2) Remove the option to disable ipset (now it’s enabled by
> default and seems to be working without problems), and make it an
> standard way to handle “IP” groups from the iptables
> perspective.
>
>
> Is ipset support present in all supported distributions?
>
>
> It is from Red Hat perspective, not sure Ubuntu, and the others, I think
> Juno was targeted to ubuntu 14.04 only (which does have ipset kernel
> support and it’s tool).
>
> Ipset was in kernel since 2.4.x, but RHEL6/Centos6 didn’t ship
> the tools neither enabled it on kernel (AFAIK).
>
Once we verify Ubuntu's support for ipset (kernel and user tools), I'm
+1 to this proposal. RHEL/CentOS/Fedora and SuSe look good.

Thanks,
Kyle

>
>
>
>
> Thoughts?,
>
> Best regards, Miguel Ángel Ajo
>
> _______________________________________________ OpenStack-dev
> mailing list OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________ OpenStack-dev
> mailing list OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>
> iQEcBAEBCgAGBQJUgG1jAAoJEC5aWaUY1u57aK4H/1G0R0NgURf1l7WCx27VqRDR
> jdFlYzecMk2E6h84Fv5tJgGqAm6mGEFUrLf8MJ9+kDB33Syb+zvxJc9v6CvMw7br
> o+Qjk4lbHiiko1W8kDmq+onjUDHExapTR1+PsSX0HmuEvwV8yrAm/VJyccAAiqB6
> XPrWG4Xft2zEp004/uT9jzJPeW4YhRNY84Sa2C1ghemzKn43QYlu8U3DfuDzfQFP
> 2MjzTwdP1FfBIX0jhXHrMlnHGuuxAscL9v6DM7Np2Iro6ExXK1ry9ex4/NWbdcIY
> sP9MkuA2wAMYE8pN1UM4LwSPg2rpEZEuwJfXyTohshcVHDoyPk81F4Q6R+ABPqM=
> =xzY6
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list