Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Antrea / Community / 9 Nov 2020
Antrea / Community / 9 Nov 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Antrea Community Meeting 11/09/2020

Description

Antrea Community Meeting, November 9th 2020

A

Oh, I see rickard is joining okay, so good morning, good afternoon good evening uh to everyone and uh welcome to this instance of the andrea community meeting today is monday november, the 9th or tuesday november the 10th, according as usual, to which time zone you're in and for today we don't have an official prepared agenda, but since we always have something to discuss, uh I will hand it over to wei chang for his presentation so watching you can go ahead.

B

Yeah thanks my screen. First.

B

Okay, okay, uh I would like to show the entroproxy no power service design uh today and uh first, uh this traffic is only for new snows and we still need to design the solution for windows snows later yeah. The motivation is that we have already implemented class iep services in andrea and uh but the key proxy is still needed to support newport services, uh since uh the current proxy can not run only for no power sources and causality sources, calculation of faith with a lot of cpu cycles and memories yeah mostly important.

B

uh The no pulsar is this support in anterior and removable cube proxy in the clusters, and we can wipe the overhead and, furthermore, the traffic for watching surveillance resources should also decrease, and the pressure of api server should also be lower.

B

The general idea is that for both cluster ip and no power services when accessing them, the traffic should also should always be denied to a point in point, and thus we can reuse the class ip and point selection flows in os and to achieve this, the traffic going to the host the local traffic must be redirected to the os correctly yeah, and once we implement this feature, then we can kill proxy deployment in theory, but we need to consider the way to start entry without kill proxy or start the whole class result.

B

Q, proxy and here come the detailed design yeah from our prior uh experiment. The performance of pipe12s will go down as a significant like if there are too many rules uh those. Thus we should keep the number of uh iptables rules as small as possible and by using rpset we can use a constant number of architectural rules to make traffic that we need to redirect and for a hashtag type set. The matching complexity should be uh a one and for each with no power service we can there should be several entries in the ipsec.

B

According to the interface addresses on the node and the traffic, no matter if com comes from the remote or the current host, for example, with localhost sources, ip address once its destination matches entries in ipsec, then we need to forward it to the os by doing dna using a link host address, for example, this one yeah this one should be configurable yeah and to enable the forwarding we need an unlinked route rule, for example like this uh setting link local ip well, the link cloud ip and running the android gateway, yeah yeah.

B

This web graph is directly copied from the uh kronetics official document yeah. There are two options for the type of no port service cluster and the local and the cluster obscures a current source ip and may cause a second hook to another node, but it should have good overall load spreading and the local preserved client source ip and avoids a second hoop for load, balancer and no prototype sources. Various risks potential imbalance, traffic spreading.

B

This approach preserves the original source id addresses need to attention here that, if there are there are no uh local endpoints uh packets sent to the node are dropped yeah, so you can rely on the correct uh source ip in any package processing rules. uh You might apply a package that makes it through the endpoint.

B

Then the the diagram, the workflow diagram, should look like this. A package goes from come from the external or come from a local host.

B

They goes to the pre-routing chain and then then do the long decision and then go to the house routine, and if it's come from a local host or it goes to a cancer cluster, no port, and then we do the vascularity yeah. That's iptables.

B

Implementation, according to the uh external traffic policy, would look like uh below yeah this one and the f-zero hex yes, f-zero and the f-one are used to tell the external traffic policy type of the package, as, as I said, in output chain and the pre-loading chain, we we send the packet to the internal port chain to match uh if it. If, if the package is a no power target yeah and for for local external traffic policy uh package yeah, we we reset with c with city mark.

B

We set it with city mark f-zero or if it is a cluster policy, uh no pro check service. Oh, we set it with f1.

B

If and then, if the, if a package weighs with.

B

Make the package be forwarded to the os and after after the whole, these are a loud decision, and then the package goes through the post routing chain and the impulse rotation. uh The the package uh with source with uh localhost source ipr is for uh it goes to uh cluster snowpower service. We do as that yeah yeah zoom out wheel. There are two type called traffic passes of no pro services, uh for example uh the external traffic policy, local or x-traffic policy cluster, and for local policy. We only need to care about the first cases.

B

The client goes through the node and uh there is. There is no second hoop and for a cluster policy we need to care about both of these two cases and for the local policy or single hoop council policy. The detailed traffic path of our implementation issues like this when the client issues a request and that come to the pre-routing and and uh in pre-routing we do the d-net if it is uh no port service traffic and if it and do the uh do the data and do the masquerade.

B

Oh sorry, uh just here is uh yeah and do the masquerade, and then the packet goes to the uh os and in os we just uh use a existing existing service d net flows and to forward the packet to the endpoint part, and then it goes back yeah for the two hopes cases the traffic the traffic pass through like this yeah, it's just the same as the prior one, but in os the the destination ipa is divided to endpoint endpoint part, which is on a different node, and then the packet goes to the another goes to another node, while uh tunnel and yeah the the then the the endpoint part responds well tunnel, also yeah, based on the case about we need the falling flows.

B

uh First, the uh flows that makes no power package comes from gateway back to the gateway. uh Waste storage signal instead of the gateway city market.

B

Currently, in current os pipeline and package from paul to external addresses, will be tracked with 60 mark 20., as we do denied for endpoint selection with 21, then the second package of a connection from external will not be correctly tracked. Thus we need the following flow to handle. The issue yeah also, we need a water, ip virtual ip.

B

And for alternative solutions and for the host traffic forward part, uh we can use alternatives like uh ebpf or ib tables, but for now I cannot see any significant disadvantages if we use ip tables and the test plan, I believe that the components test should carry the should cover the no port functionalities and also, we could add additional e to e test to cover more yeah and since we use ipsa to match no pro services, the time complexity of package matching should be o1 and well.

B

The time complexity of os flow matching is also 0 1. Then the performance should be decent. At least more standard activations will reduce significantly once we remove the cube proxy. The connection setup delay should decrease too yeah and, uh as you mentioned, that in current design, the traffic from pod to uh no power service will go through a complex path. Yeah. It should uh when upon issues uh well paul issues, a a low part request.

B

It goes to the host first and then it goes to, uh and then the the packet goes to predating, post routing, os and then back and the endpoint part respond response to the os and then back to the host and the whole and then back to os again and then back to the source. Pawn yeah.

B

It is it's complex, but uh as a notepad service are designed for out of classroom access and the pause to notepad should not be a common and best practice use case. So to keep the implementation clear and the efficient for those real use. Cases I think, can current implementation is reasonable, yeah and and that's all about the design dock and the questions.

A

Thanks foreign, this is a very good introduction. uh I have a simple question so, basically, okay, confident now we are doing a d not twice for every connection that gets into the host right, because there is a first d naught to the virtual ip address uh in this indeed link local network and then a second dinette to the actual pod ip, which is done in obs.

A

Is that correct, yeah you had? Did you get a chance to measure whether this introduce additional latency.

A

Okay, that was just that was just a curiosity because you know typically not is the enemy of latency, but uh I mean I the other question that I had is. uh Do you? I don't see any issue. Why uh for making this work in ipv6? Is that correct? It should just work fine with ipv6 as well.

B

uh I didn't consider the ipv56 in this design, but I I believe is it's quite easy to migrate because uh ipsec, uh both ipsec and iptable, support, ib ipv6 and in the new in this two new uh overflow open flow definition, and we don't have any ip version, specific matching or actions. I guess yes,.

A

Thank you and the last question is just because I did not understand so. If you can repeat why we need the arp responder and what are we doing with it?.

B

I thought that maybe paul when paul responds to the source, ip uh link link in closer type.

A

Okay, so it's just for the visual ip on the link on the link local network, then.

C

Yeah, okay,.

A

Thank you yeah. I don't know that makes sense. That makes sense. Thank you. Yeah.

D

Okay, so we can, you said uh a supporter I'll miss that uh do we need to stop? Could we proxy for it to work or even quick process, is still wrong, that we can.

B

Yeah for now I insert those those ipod rules at the first phase, so it's actually take over the right as right hand to proxy, but uh when we yeah when we when we uh implement this one and and we consider the way to start entry without to proxy since coproxy- uh provide the stories of the uh chronicles yeah, then maybe we can remove to proxy totally. But this is only for new snows and windows. We may still need a cure proxy for a while.

D

uh Sorry in windows, why would you call it.

B

Because this is sorry for what linux yeah and the next uh since on epsilon, we don't have ipa tables rules and we need another approach to achieve this functionality.

D

I see, I think for windows is simpler right because we remove the node ip to the left bridge. So you don't really need any other filter to intercept the traffic from the node.

B

Yeah but I think so maybe I could should consider it long term.

D

So another question now, for, if we remove the cookie processing need add result to the cluster class ipc direct. Otherwise, if the node says they never try to resize the service, you need some way to fold the traffic to os fridge.

D

I mean uh if, if, if you access a class ip service from the from the note from the host on the host namespace.

C

Yeah yeah yeah. I didn't consider that but yeah it's true.

E

The output chain take care of this if the ip match the output chain, and we already do a net.

D

uh I didn't I mean uh the testing that we should be the class type here.

E

Oh, you, you mean cluster action. I.

D

Mean I love it as a class, okay, so um yeah, I think you can. You can have some way to fix it um yeah. I.

B

Should consider anymore thanks.

D

uh One more last thing um I think you mentioned the case for port to access the node port um yeah.

D

So do you think we can handle the openness itself? For example, we uh we had some flows to match the node port, at least the the the the port with the with the local node yeah difference.

B

Yeah yeah it can be, and for now I installed uh insert service uh service flows with uh the link, local link, okay, and if we we, if we enhance it, enhance the the path I maybe and we need install two flows for uh for one, uh the power series, one one for the uh virtual ip and one for the you know node ip here, but but considering that, uh if we have uh not, since we, we cannot only have one node uh uh in a cluster.

B

um We.

C

Should install all install many many floors.

D

I think we should just have the local device here the most uh because otherwise it will be quite different from from the cooling process. Behavior, and I mean if you you have a remote loader. Actually the traffic will never go to remotely. I don't know it's uh it's a good uh change or not.

D

Okay, we have other local locations. Yeah, okay,.

B

Yeah, I actually.

C

Already you're good.

B

Yeah, sorry, you can help okay and that's one story.

C

Sorry yeah, I just saw that one sorry.

B

For two uh two flows: may it it's not it's different than those other services and since these cases are not rarely and it's not best practice, maybe it's cool yeah.

D

But sure I didn't think about it enough, I mean uh probably yeah for you you, you are right.

D

If you don't work well to make change.

C

Yeah, I could do some performance tests and then decide or.

C

Not.

D

All right.

B

Okay for demo yeah, it's quite simple um because we have a promise enabled and in my local local cluster here you can see there is a permission series which serves on 30, 000 or 30 thousand and yeah. It's a nose, yeah!

B

Sorry! Let me guess it.

B

You should our kernel to show the words, also works and that's inspect the worker node. The the ipsec should look like this. Yes, permissions, no power service which serves on these addresses yeah and in ip tables.

C

Table and the.

B

Yeah the this, these two should be heated one more.

B

Time yeah this rule should be hated and mask.

B

And.

B

This should also be heated two seven.

B

Yeah, two: okay yeah, it's a quite simple demo, yeah yeah, so the information it's implementation. They are uh 1471. yeah. It passed those compromise tests. I think so. Functionality should be validated again all right. So.

B

More questions.

B

Okay, so serato, I think uh that's all my part.

A

Well, thank you. That was a very nice presentation. I really appreciate that, and- uh and you know if we, if this allows us a path for running and trigger without the cube proxy, is, uh I think, it's generally a very good improvement for for the project overall.

A

So, um unfortunately, for today we don't have any other topic, which means I will. uh We will open now the meeting for open discussion, which of course implies that we can talk about anything you want. So if you have anything that it's buzzing, you that you like to talk about, feel free to propose your topic.

A

And, of course, we will wait a couple of minutes.

F

uh Maybe just a quick announcement that uh if you are seeing your ci jobs, fail because of the docker rate limiting so right now, this would only be affecting the ci jobs that runs on the vmc jenkins on aws, for example, the conformant test and the end-to-end test run this way.

F

So we are aware of the issue and uh we are working with uh zhang on a work around for this, and it so happens that vmware is running a public instance of arbor, which is a docker registry which can be used to host projects related but related to vmware, so we're working with them and we're starting to use that docker registry to make the entry docker images available and all the docker images that we use as part of the build and the testing process.

F

So our base images or open v switch images and so on, and so we're updating all the ci jobs. And so hopefully the issue is going to go away and it's going to unstuck some prs.

A

Awesome, so that's uh that's good news out of curiosity. Will we use this registry just for the ci or are we planning to make it also an official image? Sorry image, registry for andrea, andrea.

F

Great question: this is something uh that we need to discuss. Apparently, the the people at vmware running this public registry would be okay with the kind of traffic we're seeing for our docker images, which I think is way less, that than I think it's a it's less than ten thousand a week for sure ten thousand polls a week. uh So we probably need to double check, but- and I think we have no plan to update the manifest for the upcoming release to replace a default docker registry with um arbor registry.

F

But I think it's something we should consider for future releases, especially if we start seeing. Complaints from from users sounds.

F

Good but yeah. If someone is listening to this and runs into issue in their clusters, we can share the public registry. I mean it's public, so it's meant to be used.

F

Perfect.

G

So another item I'd like to bring up in the in a prior release. We did a retrospective um and I think cody is the one who ran it. uh I'm here trying to help the andrea project uh get a good open source community health uh report card. So I would like to see a another retrospective in the upcoming release if cody isn't available, I'm willing to volunteer, but if somebody else wants to do that, that's fine too, just asking if people liked having one before and if you did.

G

If there are plans to do it again,.

A

And, let's see, then I I believe that would be a good idea. As far as I know, there are no plans, for I mean no one is working on uh such a uh such extra perspective. At the moment um is that correct and allan shinjun.

F

Oh yeah that's correct, but I think we would love to have a new one uh driven by stephen. I think it would be great. Is your next meeting or the one after that? I'm gonna be off next meeting for thanksgiving week. I don't know if other people are going to be in that same boat but yeah in one of the next couple meetings. It would be great to do that.

G

Okay and they, I realize I'm not an active developer on the project, but they actually say for moderating one of these perspectives that that's a good thing, so yeah.

F

I think it's better yeah. I agree.

G

I have a great day whenever it's convenient, then.

A

Yeah, I mean that's a good idea and I will really welcome stephen leading this. uh As mentioned, the next meeting will follow in the thanksgiving week, so I believe many community members from joining from the united states might not be available. So we might do this in four weeks time if that's okay for everyone.

F

I think it's great, especially with kubecon timing.

A

Right perfect, then, so we schedule these for the meeting of december december, which day come on calendar work. That will be december. The 8th yes december, the 8th.

A

Oh sorry, december 7th, for you.

F

Yeah, that sounds right just.

A

All right, so we also have work good, so we are also building the the agenda for that meeting and uh said that is there anything else to bring up for today.

A

And it appears that there are no more topics for today, so I would like to thank again waychanga for his demo uh really really informative, and also many thanks to steven for volunteering for conducting uh retrospective or for assessing the health of the open source project and say that I would like to also thank everyone for attending and, uh as usual, I wish everyone a good morning, good afternoon, good evening or good night, of course, for our friends in palo alto. So thanks thanks for joining and talk to you in two weeks time.

D

Thank you thank.

C

You.

A

Thank you, bye-bye.