►
From YouTube: Antrea Community Meeting 11/09/2020
Description
Antrea Community Meeting, November 9th 2020
A
Oh,
I
see
rickard
is
joining
okay,
so
good
morning,
good
afternoon
good
evening
to
everyone
and
welcome
to
this
instance
of
the
andrea
community
meeting
today
is
monday
november,
the
9th
or
tuesday
november
the
10th,
according
as
usual,
to
which
time
zone
you're
in
and
for
today
we
don't
have
an
official
prepared
agenda,
but
since
we
always
have
something
to
discuss,
I
will
hand
it
over
to
wei
chang
for
his
presentation
so
watching
you
can
go
ahead.
B
Okay,
okay,
I
would
like
to
show
the
entroproxy
no
power
service
design
today
and
first,
this
traffic
is
only
for
new
snows
and
we
still
need
to
design
the
solution
for
windows
snows
later
yeah.
The
motivation
is
that
we
have
already
implemented
class
iep
services
in
andrea
and
but
the
key
proxy
is
still
needed
to
support
newport
services,
since
the
current
proxy
can
not
run
only
for
no
power
sources
and
causality
sources,
calculation
of
faith
with
a
lot
of
cpu
cycles
and
memories
yeah
mostly
important.
B
B
Q,
proxy
and
here
come
the
detailed
design
yeah
from
our
prior
experiment.
The
performance
of
pipe12s
will
go
down
as
a
significant
like
if
there
are
too
many
rules
those.
Thus
we
should
keep
the
number
of
iptables
rules
as
small
as
possible
and
by
using
rpset
we
can
use
a
constant
number
of
architectural
rules
to
make
traffic
that
we
need
to
redirect
and
for
a
hashtag
type
set.
The
matching
complexity
should
be
a
one
and
for
each
with
no
power
service
we
can
there
should
be
several
entries
in
the
ipsec.
B
According
to
the
interface
addresses
on
the
node
and
the
traffic,
no
matter
if
com
comes
from
the
remote
or
the
current
host,
for
example,
with
localhost
sources,
ip
address
once
its
destination
matches
entries
in
ipsec,
then
we
need
to
forward
it
to
the
os
by
doing
dna
using
a
link
host
address,
for
example,
this
one
yeah
this
one
should
be
configurable
yeah
and
to
enable
the
forwarding
we
need
an
unlinked
route
rule,
for
example
like
this
setting
link
local
ip
well,
the
link
cloud
ip
and
running
the
android
gateway,
yeah
yeah.
B
This
web
graph
is
directly
copied
from
the
kronetics
official
document
yeah.
There
are
two
options
for
the
type
of
no
port
service
cluster
and
the
local
and
the
cluster
obscures
a
current
source
ip
and
may
cause
a
second
hook
to
another
node,
but
it
should
have
good
overall
load
spreading
and
the
local
preserved
client
source
ip
and
avoids
a
second
hoop
for
load,
balancer
and
no
prototype
sources.
Various
risks
potential
imbalance,
traffic
spreading.
B
This
approach
preserves
the
original
source
id
addresses
need
to
attention
here
that,
if
there
are
there
are
no
local
endpoints
packets
sent
to
the
node
are
dropped
yeah,
so
you
can
rely
on
the
correct
source
ip
in
any
package
processing
rules.
You
might
apply
a
package
that
makes
it
through
the
endpoint.
B
B
B
Implementation,
according
to
the
external
traffic
policy,
would
look
like
below
yeah
this
one
and
the
f-zero
hex
yes,
f-zero
and
the
f-one
are
used
to
tell
the
external
traffic
policy
type
of
the
package,
as,
as
I
said,
in
output
chain
and
the
pre-loading
chain,
we
we
send
the
packet
to
the
internal
port
chain
to
match
if
it.
If,
if
the
package
is
a
no
power
target
yeah
and
for
for
local
external
traffic
policy
package
yeah,
we
we
reset
with
c
with
city
mark.
B
We
set
it
with
city
mark
f-zero
or
if
it
is
a
cluster
policy,
no
pro
check
service.
Oh,
we
set
it
with
f1.
B
Make
the
package
be
forwarded
to
the
os
and
after
after
the
whole,
these
are
a
loud
decision,
and
then
the
package
goes
through
the
post
routing
chain
and
the
impulse
rotation.
The
the
package
with
source
with
localhost
source
ipr
is
for
it
goes
to
cluster
snowpower
service.
We
do
as
that
yeah
yeah
zoom
out
wheel.
There
are
two
type
called
traffic
passes
of
no
pro
services,
for
example
the
external
traffic
policy,
local
or
x-traffic
policy
cluster,
and
for
local
policy.
We
only
need
to
care
about
the
first
cases.
B
The
client
goes
through
the
node
and
there
is.
There
is
no
second
hoop
and
for
a
cluster
policy
we
need
to
care
about
both
of
these
two
cases
and
for
the
local
policy
or
single
hoop
council
policy.
The
detailed
traffic
path
of
our
implementation
issues
like
this
when
the
client
issues
a
request
and
that
come
to
the
pre-routing
and
and
in
pre-routing
we
do
the
d-net
if
it
is
no
port
service
traffic
and
if
it
and
do
the
do
the
data
and
do
the
masquerade.
B
Oh
sorry,
just
here
is
yeah
and
do
the
masquerade,
and
then
the
packet
goes
to
the
os
and
in
os
we
just
use
a
existing
existing
service
d
net
flows
and
to
forward
the
packet
to
the
endpoint
part,
and
then
it
goes
back
yeah
for
the
two
hopes
cases
the
traffic
the
traffic
pass
through
like
this
yeah,
it's
just
the
same
as
the
prior
one,
but
in
os
the
the
destination
ipa
is
divided
to
endpoint
endpoint
part,
which
is
on
a
different
node,
and
then
the
packet
goes
to
the
another
goes
to
another
node,
while
tunnel
and
yeah
the
the
then
the
the
endpoint
part
responds
well
tunnel,
also
yeah,
based
on
the
case
about
we
need
the
falling
flows.
B
B
Currently,
in
current
os
pipeline
and
package
from
paul
to
external
addresses,
will
be
tracked
with
60
mark
20.,
as
we
do
denied
for
endpoint
selection
with
21,
then
the
second
package
of
a
connection
from
external
will
not
be
correctly
tracked.
Thus
we
need
the
following
flow
to
handle.
The
issue
yeah
also,
we
need
a
water,
ip
virtual
ip.
B
And
for
alternative
solutions
and
for
the
host
traffic
forward
part,
we
can
use
alternatives
like
ebpf
or
ib
tables,
but
for
now
I
cannot
see
any
significant
disadvantages
if
we
use
ip
tables
and
the
test
plan,
I
believe
that
the
components
test
should
carry
the
should
cover
the
no
port
functionalities
and
also,
we
could
add
additional
e
to
e
test
to
cover
more
yeah
and
since
we
use
ipsa
to
match
no
pro
services,
the
time
complexity
of
package
matching
should
be
o1
and
well.
B
The
time
complexity
of
os
flow
matching
is
also
0
1.
Then
the
performance
should
be
decent.
At
least
more
standard
activations
will
reduce
significantly
once
we
remove
the
cube
proxy.
The
connection
setup
delay
should
decrease
too
yeah
and,
as
you
mentioned,
that
in
current
design,
the
traffic
from
pod
to
no
power
service
will
go
through
a
complex
path.
Yeah.
It
should
when
upon
issues
well
paul
issues,
a
a
low
part
request.
B
It
goes
to
the
host
first
and
then
it
goes
to,
and
then
the
the
packet
goes
to
predating,
post
routing,
os
and
then
back
and
the
endpoint
part
respond
response
to
the
os
and
then
back
to
the
host
and
the
whole
and
then
back
to
os
again
and
then
back
to
the
source.
Pawn
yeah.
B
It
is
it's
complex,
but
as
a
notepad
service
are
designed
for
out
of
classroom
access
and
the
pause
to
notepad
should
not
be
a
common
and
best
practice
use
case.
So
to
keep
the
implementation
clear
and
the
efficient
for
those
real
use.
Cases
I
think,
can
current
implementation
is
reasonable,
yeah
and
and
that's
all
about
the
design
dock
and
the
questions.
A
Thanks
foreign,
this
is
a
very
good
introduction.
I
have
a
simple
question
so,
basically,
okay,
confident
now
we
are
doing
a
d
not
twice
for
every
connection
that
gets
into
the
host
right,
because
there
is
a
first
d
naught
to
the
virtual
ip
address
in
this
indeed
link
local
network
and
then
a
second
dinette
to
the
actual
pod
ip,
which
is
done
in
obs.
A
A
Okay,
that
was
just
that
was
just
a
curiosity
because
you
know
typically
not
is
the
enemy
of
latency,
but
I
mean
I
the
other
question
that
I
had
is.
Do
you?
I
don't
see
any
issue.
Why
for
making
this
work
in
ipv6?
Is
that
correct?
It
should
just
work
fine
with
ipv6
as
well.
B
I
didn't
consider
the
ipv56
in
this
design,
but
I
I
believe
is
it's
quite
easy
to
migrate
because
ipsec,
both
ipsec
and
iptable,
support,
ib
ipv6
and
in
the
new
in
this
two
new
overflow
open
flow
definition,
and
we
don't
have
any
ip
version,
specific
matching
or
actions.
I
guess
yes,.
A
B
I
thought
that
maybe
paul
when
paul
responds
to
the
source,
ip
link
link
in
closer
type.
D
Okay,
so
we
can,
you
said
a
supporter
I'll
miss
that
do
we
need
to
stop?
Could
we
proxy
for
it
to
work
or
even
quick
process,
is
still
wrong,
that
we
can.
B
Yeah
for
now
I
insert
those
those
ipod
rules
at
the
first
phase,
so
it's
actually
take
over
the
right
as
right
hand
to
proxy,
but
when
we
yeah
when
we
when
we
implement
this
one
and
and
we
consider
the
way
to
start
entry
without
to
proxy
since
coproxy-
provide
the
stories
of
the
chronicles
yeah,
then
maybe
we
can
remove
to
proxy
totally.
But
this
is
only
for
new
snows
and
windows.
We
may
still
need
a
cure
proxy
for
a
while.
B
Because
this
is
sorry
for
what
linux
yeah
and
the
next
since
on
epsilon,
we
don't
have
ipa
tables
rules
and
we
need
another
approach
to
achieve
this
functionality.
D
D
D
I
mean
if,
if,
if
you
access
a
class
ip
service
from
the
from
the
note
from
the
host
on
the
host
namespace.
D
D
So
do
you
think
we
can
handle
the
openness
itself?
For
example,
we
we
had
some
flows
to
match
the
node
port,
at
least
the
the
the
the
port
with
the
with
the
local
node
yeah
difference.
B
Yeah
yeah
it
can
be,
and
for
now
I
installed
insert
service
service
flows
with
the
link,
local
link,
okay,
and
if
we
we,
if
we
enhance
it,
enhance
the
the
path
I
maybe
and
we
need
install
two
flows
for
for
one,
the
power
series,
one
one
for
the
virtual
ip
and
one
for
the
you
know
node
ip
here,
but
but
considering
that,
if
we
have
not,
since
we,
we
cannot
only
have
one
node
in
a
cluster.
D
I
think
we
should
just
have
the
local
device
here
the
most
because
otherwise
it
will
be
quite
different
from
from
the
cooling
process.
Behavior,
and
I
mean
if
you
you
have
a
remote
loader.
Actually
the
traffic
will
never
go
to
remotely.
I
don't
know
it's
it's
a
good
change
or
not.
B
For
two
two
flows:
may
it
it's
not
it's
different
than
those
other
services
and
since
these
cases
are
not
rarely
and
it's
not
best
practice,
maybe
it's
cool
yeah.
D
But
sure
I
didn't
think
about
it
enough,
I
mean
probably
yeah
for
you
you,
you
are
right.
C
B
Okay
for
demo
yeah,
it's
quite
simple
because
we
have
a
promise
enabled
and
in
my
local
local
cluster
here
you
can
see
there
is
a
permission
series
which
serves
on
30,
000
or
30
thousand
and
yeah.
It's
a
nose,
yeah!
B
B
B
B
Okay,
so
serato,
I
think
that's
all
my
part.
A
Well,
thank
you.
That
was
a
very
nice
presentation.
I
really
appreciate
that,
and-
and
you
know
if
we,
if
this
allows
us
a
path
for
running
and
trigger
without
the
cube
proxy,
is,
I
think,
it's
generally
a
very
good
improvement
for
for
the
project
overall.
A
So,
unfortunately,
for
today
we
don't
have
any
other
topic,
which
means
I
will.
We
will
open
now
the
meeting
for
open
discussion,
which
of
course
implies
that
we
can
talk
about
anything
you
want.
So
if
you
have
anything
that
it's
buzzing,
you
that
you
like
to
talk
about,
feel
free
to
propose
your
topic.
F
F
So
we
are
aware
of
the
issue
and
we
are
working
with
zhang
on
a
work
around
for
this,
and
it
so
happens
that
vmware
is
running
a
public
instance
of
arbor,
which
is
a
docker
registry
which
can
be
used
to
host
projects
related
but
related
to
vmware,
so
we're
working
with
them
and
we're
starting
to
use
that
docker
registry
to
make
the
entry
docker
images
available
and
all
the
docker
images
that
we
use
as
part
of
the
build
and
the
testing
process.
F
A
F
Great
question:
this
is
something
that
we
need
to
discuss.
Apparently,
the
the
people
at
vmware
running
this
public
registry
would
be
okay
with
the
kind
of
traffic
we're
seeing
for
our
docker
images,
which
I
think
is
way
less,
that
than
I
think
it's
a
it's
less
than
ten
thousand
a
week
for
sure
ten
thousand
polls
a
week.
So
we
probably
need
to
double
check,
but-
and
I
think
we
have
no
plan
to
update
the
manifest
for
the
upcoming
release
to
replace
a
default
docker
registry
with
arbor
registry.
F
F
F
G
So
another
item
I'd
like
to
bring
up
in
the
in
a
prior
release.
We
did
a
retrospective
and
I
think
cody
is
the
one
who
ran
it.
I'm
here
trying
to
help
the
andrea
project
get
a
good
open
source
community
health
report
card.
So
I
would
like
to
see
a
another
retrospective
in
the
upcoming
release
if
cody
isn't
available,
I'm
willing
to
volunteer,
but
if
somebody
else
wants
to
do
that,
that's
fine
too,
just
asking
if
people
liked
having
one
before
and
if
you
did.
A
And,
let's
see,
then
I
I
believe
that
would
be
a
good
idea.
As
far
as
I
know,
there
are
no
plans,
for
I
mean
no
one
is
working
on
such
a
such
extra
perspective.
At
the
moment
is
that
correct
and
allan
shinjun.
F
Oh
yeah
that's
correct,
but
I
think
we
would
love
to
have
a
new
one
driven
by
stephen.
I
think
it
would
be
great.
Is
your
next
meeting
or
the
one
after
that?
I'm
gonna
be
off
next
meeting
for
thanksgiving
week.
I
don't
know
if
other
people
are
going
to
be
in
that
same
boat
but
yeah
in
one
of
the
next
couple
meetings.
It
would
be
great
to
do
that.
A
Yeah,
I
mean
that's
a
good
idea
and
I
will
really
welcome
stephen
leading
this.
As
mentioned,
the
next
meeting
will
follow
in
the
thanksgiving
week,
so
I
believe
many
community
members
from
joining
from
the
united
states
might
not
be
available.
So
we
might
do
this
in
four
weeks
time
if
that's
okay
for
everyone.
A
A
All
right,
so
we
also
have
work
good,
so
we
are
also
building
the
the
agenda
for
that
meeting
and
said
that
is
there
anything
else
to
bring
up
for
today.
A
And
it
appears
that
there
are
no
more
topics
for
today,
so
I
would
like
to
thank
again
waychanga
for
his
demo
really
really
informative,
and
also
many
thanks
to
steven
for
volunteering
for
conducting
retrospective
or
for
assessing
the
health
of
the
open
source
project
and
say
that
I
would
like
to
also
thank
everyone
for
attending
and,
as
usual,
I
wish
everyone
a
good
morning,
good
afternoon,
good
evening
or
good
night,
of
course,
for
our
friends
in
palo
alto.
So
thanks
thanks
for
joining
and
talk
to
you
in
two
weeks
time.