[Neutron] PTG summary

Thomas Goirand zigo at debian.org
Mon Nov 2 22:59:58 UTC 2020

Hi Slawek,

Thanks a lot for the summary, that's very useful.

On 11/2/20 10:56 PM, Slawek Kaplonski wrote:
>   * replace ip commands with pyroute2, under a privsep context (elevated 
> permissions needed)

Please, please, please, do this, and give it some high priority.
Spawning thousands of times the ip command simply doesn't scale.

> ## Migration to the NFtables
> During this session we were discussing potential strategies on how to migrate 
> from the old iptables to the new nftables. We need to start planning that work 
> as it major Linux distributions (e.g. RHEL) are planning to deprecate iptables 
> in next releases.

Did you know that Debian uses nftables by default since Buster, and that
one must set iptables-legacy as alternative, otherwise Neutron becomes
mad and fails applying firewall rules?

I'm not sure about Bullseye, but maybe there, iptables-legacy will even
be gone?!?

> ## Leveraging routing-on-the-host in Neutron in our next-gen clusters
> As a last topic on Friday we were discussing potential solutions of the _L3 on 
> the host_ in the Neutron. The idea here is very similar to what e.g. __Calico 
> plugin__ is doing currently.
> More details about potential solutions are described in the etherpad [14]. 
> During the discussion Dawid Deja from OVH told us that OVH is also using very 
> similar, downstream only solution.
> Conclusion of that discussion was that we may have most of the needed code 
> already in Neutron and some stadium projects so as a first step people who are 
> interested in that topic, like Jan Gutter, Miguel and Dawid will work on some 
> deployment guide for such use case.

It'd be great if people were sharing code for this. I've seen at least 3
or 4 companies doing it, none sharing any bits... :/

How well is the Calico plugin working for this? Do we know? Has anyone
tried it in production? Does it scale well?


Thomas Goirand (zigo)

