Hi, Dnia poniedziaĆek, 2 listopada 2020 23:59:58 CET Thomas Goirand pisze:
Hi Slawek,
Thanks a lot for the summary, that's very useful.
On 11/2/20 10:56 PM, Slawek Kaplonski wrote:
* replace ip commands with pyroute2, under a privsep context (elevated
permissions needed)
Please, please, please, do this, and give it some high priority. Spawning thousands of times the ip command simply doesn't scale.
Yes, we know that :) And it's one of our priorities in this cycle.
## Migration to the NFtables During this session we were discussing potential strategies on how to migrate from the old iptables to the new nftables. We need to start planning that work as it major Linux distributions (e.g. RHEL) are planning to deprecate iptables in next releases.
Did you know that Debian uses nftables by default since Buster, and that one must set iptables-legacy as alternative, otherwise Neutron becomes mad and fails applying firewall rules?
Yes, that work already has been started - see https://review.opendev.org/#/c/ 759874/ But it's a lot of work to do so it may not be very fast and help is welcome in that area :)
I'm not sure about Bullseye, but maybe there, iptables-legacy will even be gone?!?
## Leveraging routing-on-the-host in Neutron in our next-gen clusters
As a last topic on Friday we were discussing potential solutions of the _L3 on the host_ in the Neutron. The idea here is very similar to what e.g. __Calico plugin__ is doing currently. More details about potential solutions are described in the etherpad [14]. During the discussion Dawid Deja from OVH told us that OVH is also using very similar, downstream only solution. Conclusion of that discussion was that we may have most of the needed code already in Neutron and some stadium projects so as a first step people who are interested in that topic, like Jan Gutter, Miguel and Dawid will work on some deployment guide for such use case.
It'd be great if people were sharing code for this. I've seen at least 3 or 4 companies doing it, none sharing any bits... :/
Yes, I think that OVH may consider that. And also there should be now some collaboration betweem Jan, Miguel and maybe others on that topic.
How well is the Calico plugin working for this? Do we know? Has anyone tried it in production? Does it scale well?
Cheers,
Thomas Goirand (zigo)
-- Slawek Kaplonski Principal Software Engineer Red Hat