►
From YouTube: Antrea Community Meeting 01/03/2023
Description
Antrea Community Meeting, January 3rd 2023
A
All
right
so
hello,
good
morning,
good
afternoon,
good
evening
and
thanks
for
joining
the
first
Andrea
committee
meeting
of
the
Year
2023
Happy
New
Year
to
everyone,
and
we
are
therefore
ready
to
start
with
this
meeting
so
for
today.
I
have
on
the
agenda
a
discussion
of
of
net
performance
announcements.
A
A
So
maybe,
let's
start
with
the
of
net
announcements,
and
then
you
know
we
can
go
with
the
discussion
of
these
customer
reported
issues
and
if
we
don't
go
through
all
the
issues
today,
we
can
finish
them
in
the
next
community
meeting.
I
believe
that
Ashish
joined
this
meeting
to
present
about
the
ethernet
announcements.
So
I
will
probably
just
end
it
over
to
Ashish
and
please
go
ahead
with
your
presentation.
C
C
So
let
me
give
you
just
a
very
brief
background
of
what
we
are
discussing.
So
in
Andrea
we
have
the
OBS,
which
actually
does
the
data
path,
and
this
ovs
is
programmed
by
the
Andrea
agent.
But
if
you
look
down,
it's
actually
a
set
of
libraries
that
we
use.
So
we
have
this
Library
called
live
open,
Flow,
which
majorly
does
the
encoding
decoding
of
the
open,
Flow
messages.
Previously
we
were
using
1.3
and
recently
we
coded
the
1.5
support,
which
is
now
integrated.
C
Apart
from
this,
this
Library
also
has
some
support
for
different
protocol
encoding
decoding
like
like,
like
icmp
and
other
protocols,
and
it
also
provides
some
utility
to
to
read
the
messages
and
buffer
the
messages
over
the
socket.
So
it
talks
to
the
obs,
the
the
module
that
drives
or
uses
this.
This
live
open.
Flow
is
the
of
net
which
actually
implements
the
the
logic.
C
Like
kind
of
you
can
say,
the
the
first
level
of
the
controller
Logic,
the
open,
Flow
controller,
which
so
this
implements
like
a
like
kind
of
a
switch
implementation.
You
can
program
the
of
net
using
some
kind
of
a
like
a
graph
method
where
you
can
program
different
entities.
It
has
an
obstp
driver,
support
for
a
transaction
and
packet
in
handling
and
the
the
the
the
user
of
the
of
net
is
called
an
app
or
an
application.
C
Currently,
the
application
is
Andrea
agent
or
you
can
also
trigger
different
scenarios
using
the
unit
test
which,
like
is,
is
which
acts
as
the
same
level
as
the
app
we'll
discuss
about
this
command
line
a
little
later.
So
when
we
coded
this
and
like
discussing
with
winning,
we
found
that
the
of
net
code
can
has
some
like
few
enhancements.
That
is
possible,
which
will
make
the
whole
code
better.
C
So
I
have
listed
the
points
over
here,
so
the
the
the
way
this
discussion
started
was
that
we
encountered
a
deadlock
bug.
This
was
observed,
I
think,
once
only
as
far
as
I
recall,
this
was
observed
in
some
customer
site,
where
the
the
of
net
code
kind
of
just
blocked
on
certain
load,
condition
by
load
condition.
I
mean
that
there
were
a
lot
of
flows
getting
programmed
at
the
OBS
and
under
certain
condition.
A
C
So
that's
the
plan
to
add
this
this
this
test.
Also,
we
found
that
there
are
certain
interfaces
by
interface.
I
mean
that,
like
from
whenever,
whenever
a
packet
in
is
received
at
ofnet,
it's
sent
to
the
application
or
Andrea
agent.
It's
still
like
a
like
a
function
call
we
would
like
to
make
it
like
a
buffered
channel
and
so
that
the
of
net
code
doesn't
get
locked
up
or
delayed,
because
the
application
returns
takes
more
time
than
than
what
is
usually
acceptable.
C
So
so
we
want
to
to
not
block
the
of
net
code.
One
more
thing
that
we
like
that
I
found
is
that
whenever
we
program
a
flow
to
the
ovs
open,
Flow
doesn't
like
provide
a
very
clear
feedback,
whether
the
flow
Edition
was
successful
or
not
so
right
now,
the
way
we
kind
of
account
for
the
flows
programmed
in
the
OBS
is
using
a
flow
stats,
but
OpenFlow
has
like
a
better
way
to
do
this
kind
of
a
monitoring.
C
It's
actually
called
a
flow
monitor,
and
this
the
way
it's
better
is
because
you,
once
you
program
a
flow
monitor
in
the
OBS,
it
will
just
generate
asynchronous
messages
to
the
controller
on
any
flow
Edition
deletion.
So
that
way
you
get
a
feedback
of
what's
happening
at
ovs
in
case
in
case.
For
some
reason,
OBS
decides
to
delete
a
flow.
You
again
get
a
feedback,
so
this
is.
This
is
a
good
way
to
keep
a
check
on
of
of
the
flows,
which
is
there
at
the
obs
one.
C
Other
thing
that
we
found
is
that
the
the
logging
at
the
of
net
is
is
not
like.
It's
really
bad.
So
in
case
now
we
get
any
issue
any
bug.
We
don't
know
where
it
is,
if
it's
in
the
osnet,
which
part
of
the
code
failed,
because
the
logs
are
actually
not
there,
so
this
has
to
be
added
on
a
high
priority
as
well
as
so.
We
we
need
to
add
error
logs
and
debug
log
to
for
obviously
debugging
any
issue.
C
C
We
have
the
Andrea
agent,
of
course,
so,
but
or
or
the
unit
test,
but
I
was
just
thinking
of
like
adding
like
a
command
line
to
to
to
to
so
this
command
line
tool
will
trigger
of
net
and
live
open,
Flow,
something
very
similar
to
the
OBS
of
cuttle.
We
can
have
something
called
of
of
net
cutter,
or
something
like
that,
so
that
this
becomes
like
a
standalone
utility
to
program
like
program,
add
or
delete
flows
using
this
code
base.
C
So,
just
just
an
idea,
maybe
not
a
high
priority,
but
like
probably
a
good
utility
to
have
again
right
now
so
coming
to
this
feed.
Just
this
part,
so
right
now,
whatever
is
implemented
in
of
net,
is
obviously
what
is
needed
by
Andrea
agent,
but
maybe
in
future
you
need
more
open,
Flow
features,
which
obviously
is
not
here.
C
So
this
is
kind
of
an
open-ended
thing,
where
probably
the
the
folks
working
at
the
entry
agent
can
think,
like
any
other
feature
that
they
would
be
needing
in
future,
so
that
we
can
plan
it
ahead
of
time
again.
This
is
something
which
is
I'm,
not
sure,
but
do
we
need
to
explore
the
AFX
DP
or
the
dbtk
support
at
OBS?
This
is
more
at
the
obvious
level.
C
B
I
see
you
thanks
for
sharing.
This
I
also
have
some
questions
about
fxdp
and
dbtk
data
parts
of
os
support.
So
I
want
to
take
this
opportunity
to
ask
you
some
questions
for
for
afxdp
I'm,
not
sure
whether
my
understanding
is
correct.
That
is
this
only
about
moving
the
data
path
to
user
space,
and
would
it
affect
the
use
case
of
workloads?
Does
it
require
the
workload
the
application
must
be
developed
for
the
based
on
XDP
or
like
dbtk,
based
application.
C
B
C
C
If
you
move
to
AFX,
DP
or
dpdk,
we
have
a
different
data
path
so,
but
the
the
open
Flow
the
messages,
the
interface
that
doesn't
change,
but
when
we
move
to
AFX,
DP
or
dpdk,
the
the
data
path
code
is
entirely
different,
so
and
I
believe
we
do
support
everything
that
the
the
kernel
module
today
supports
in
the
dpdk
or
the
AFX
DP
data
path.
But
that
could
be
certain
features
which
might
be
missing.
C
I
don't
have
that
list
right
now,
I
can
get
it,
but
mostly
the
interface
will
not
change,
but
the
second
limitation,
of
course,
would
be
that
at
least
for
dpdk
I
know
that
it
doesn't
work
on
like
it
works
on.
Only
certain
specific
Nicks
I
can
tell
you,
I
mean
about
afxtp
that
it
probably
again
may
have
the
same
limitation
but
I'm,
not
very
sure
about
afxtp.
Today,
I
can
I
can
find
it
out.
D
C
B
A
C
A
B
I
hope
my
screen
is
visible.
Yes,
yeah.
Currently,
we
we
have
18
open
issues
for
future
requests
and
I
have
opened
the
fields
for
today's
discussion
and
they
are
mainly
about
a
service
external
IP,
egress
and
nail
policies
and
the
sync.
The
the
issues
themselves
are
valuable
and
I
want
to
collect
more
imports
from
the
community.
B
Oh,
this
is
not
a
feature
request
and
removed
the
label
yeah.
Let's
start
from
this
one.
This
is
for
a
feature
request
to
allow
multiple
service
sharing
a
single
IP
and
is
it
use
the
use
case
of
meta
IB
either
in
Lamport
and
I.
Think
this
feature
request
makes
sense
and
I
proposed
to
just
allow
allowing
users
to
specify
the
same
IP
for
different
services
and
when
and
it
could
automatically
mod,
you
will
automatically
work
when
the
services
are
using
different
port
and
if
they
are
using
support,
they
cannot
work.
B
So
we
will
not
report
the
the
requested,
learn
bus
IP
to
the
status
of
the
second
service
and
the
LED
users
to
correct
the
configuration,
and
we
will
generate
events
for
this
service
to
alert
this
warning
a
single.
It
should
basically
work
and
also
got
some
comments
for
Antonio
and
the
shoe
and
the
user.
So
if
we
any
comments
for
this
feature
request,
if
not
I
I
think
it
should
be
clear
under
what
we
need
to
decide
is
whether
we
should
just
include
this
implementation
in
this
or
outcoming
release.
B
A
B
It
will
automatically
cleared
by
the
controller,
who
is
doing
the
model
for
managing
it.
So
his
proposal
was
to
have
an
annotation
on
Wednesday
night
before
and
meaning
that
that
external
IP
poor
will
be
used
for
all
lower
bands
type
of
Services
when
they
are,
they
don't
have
a
separate
annotation
I
didn't
reply
this
issue,
but
I
thought
about
this
through
comment.
B
My
feeling
is
that
it
may
having
a
unified
annotate,
a
unified
external
IP.
Poor
may
not
work
for
all
use
cases,
because
all
services
will
have
to
use
same
instant,
IP,
core
and
and
I
wonder
if
we
could
just
move
the
service
annotation
to
namespace
level,
not
move
to,
but
just
have
another
layer
for
annotation.
B
For
example,
when
the
when
the
name
space
has
a
how,
when
the
service
yourself
has
The
annotation,
the
Android
controller
will
allocate
the
Eastern
IP
phone
that
IP
poor
when
the
services
itself
doesn't
have
The
annotation
until
I
will
check.
The
annotation
on
the
namespace
and
The
annotation
is
in
the
same
format,
just
the
two
layer
of
annotation,
and
if
this,
the
namespace
itself
have
The
annotation,
I'm
sure
we'll
still
use
that
IP
poor
to
allocate
them
IP,
and
there
are
two
benefits
I
can
think
of.
First.
C
A
A
Yeah
I
mean
I,
don't
have
any
specific
comment
to
just
The
Proposal
from
Junction.
The
only
thing
that
dejection,
the
only
thing
that
happens.
The
only
comment
that
I
have
is
that,
typically,
if
you
have
to
annotate
something
as
being
the
default,
then
we
need
also
some
additional
check
to
make
sure
that
only
one
tool
is
a
noted
as
default
right,
so
that
that's
the
strange
part.
B
B
B
So
if
the
cluster
has
more
than
more
than
one
subnets
in
the
nodes
are
in
different
subnets
is,
is
it
we?
The
only
a
few
of
the
nodes
can
be
used
as
the
external
node
and
when
the
Houston
window
knows
that
are
in
same
subnet
are
all
done.
The
egress
will
no
longer
work,
regardless
of
the
the
which
you
know
that
the
the
traffic
comes
from.
B
B
So
I
I
think
about
this
requirement
and
propose
to
one
approach
to
address
the
limit
is
that
is
allowing
a
secondary
egress
IP
and
a
secondary
egress
IP
port,
a
Eastern
IP
poor,
to
be
used
by
an
egress,
and
that
means
that
you
user
could
request
one
egress,
IP
phone
One
external
IP,
poor
and
locate
a
secondary
eclip
from
just
for
another
instant
IP
port
and
each
using
an
IP
port.
We
are
mapped
to
one
available
Zone,
so
people
could
get
the
address
support.
B
Even
the
whole
is
done
as
long
as
any
of
the
available
song
is
up.
The
request.
Traffic
could
still
go
through
the
available
one
and
that
could
also
adjust
the
limit
of
static
egress,
meaning
that
I
I
could
use
two
different
IPS,
which
is
physically
assigned
to
two
nodes
and
even
I,
don't
use
Keystone
ip4
I
I
could
get
AJ
support
as
long
as
the
two
nodes
are
not
done
at
the
same
time,
yeah
I,
think
user
is
the
the
the
user
who
reportedly
issue
is
fine
with
the
approach.
But
let's
change.
B
A
B
B
I
think
the
use
case
is
that
when
in
in
some
this
Choice,
especially
on
cloud,
it's
very
typical
that
the
control
plane
notes
are
not
showing
up
in
the
but
I'm
not
showing
up.
As
kubernetes
knows,
the
control,
plane,
components
run
out
of
the
cluster,
and
we
there
is
no
way
to
select
the
the
IPS
of
the
control
plane
components
as
using
existing
selector.
B
B
Currently,
the
only
way
is
that
the
the
master
specify
the
I,
the
the
they
must
figure
out,
the
control,
plane,
components
IP
and
the
specifying
then
either
IP
Block
in
net
policies
so
use
this
user
requests.
This
feature
that
they
want
to
leverage
the
end
point
object
to
get
the
IP
of
control,
plane
components,
for
example.
Typically,
the
there
is
a
service
named
the
kubernetes
in
the
default
namespace
and
is
corresponding
endpoints,
how
all
com,
how
all
control
plane
IPS.
C
B
This
is
very
specific
to
one
use
case,
because
that
it
does
not
make
sense
to
use
endpoint
selector
for
for
any
other
use
cases,
especially
actually
the
endpoints
the
mean
for
the
back
end
of
service,
which
is
which
you
usually
means
the
destination
instead
of
the
source,
but
anyway,
I
I
think
the
requirement
itself
makes
sense,
but
just
no
idea.
What's
the
best
approach,
help
to
address
the
requirement.
B
D
D
B
E
E
B
E
B
E
E
E
B
B
Nasa
is
also
for
Neil
policy,
but
for
auditor
logging.
Currently,
we
don't
have
namespace
and
the
name
information
of
of
the
traffic
traffic
endpoint,
for
example
the
when
the
traffic
comes
from
a
port
or
it's
destinated,
that's
native
to
our
Port.
We
just
look
like
in
the
audit
log,
but
not
the
namespace
and
the
name
of
the
IP.
B
B
F
F
Right,
because
we
don't
really
want
to
have
like
each
agent
monitors
the
full
set
of
pods
in
the
cluster
to
be
able
to
map
IP
addresses
too
two
namespins
and
names
I
think
maybe
that
would
put
too
much
strain
on
the
API
server
and
also
that's
kind
of
like
duplicate
functionality,
with
what
we're
trying
to
do
in
the
flow
exporter
and
wistia.
But
I
do
understand,
like
the
point
of
view
that
some
users
may
not
want
to
deploy
CIA
and
still
be
able
to
have
that
information
in
the
local
policy.
F
C
F
Maybe
we
could
have
a
mechanism
to
have
the
flow
aggregator
generate.
Those
Network
policy
logs
in
in
a
similar
format.
I
think
that
that
could
be
a
solution,
because
the
flow
aggregator
should
already
receive
flow
records
for
all
the
denied
connections,
for
example,
and
it's
already
mapping
AP
addresses
to
pod
namespaces
and
names.
So
we
could
have
the
flow
aggregator
be
able
to
write
those
comprehensive
Network
policy
logs
to
to
disk,
and
then
they
could
be
collected
by
by
the
user
in
a
way
without
having
to
deploy.
F
B
F
F
B
B
I
know
the
email
managed
by
and
sure,
unless
using
the
the
flexible
iPad
mode,
which
means
the
the
the
node
the
host
network
is
bridged
by
OS
is
bridge
by
open
with
switch
and
it's
kind
of
similar
to
what
external
external
know
the
future.
That's
today
and
managing
security
for
the
node
itself,
so
I
I,
don't
have
could
upload
a
solution
for
now.
B
A
B
Your
unit
Calico
Implement
in
their
policy
atletic,
is
a.
It
is
a
default
mode.
It
use
IB
tables
to
support
the
policy
right
so
for
container
traffic.
It
just
programs
available
in
the
forwarding
forward
chain
and,
of
course,
for
host
net
policies.
I
think
they
just
create
a
applicable
scores
in
input
and
output
chain
instead
of
the
forward
chain.
So
it's
pretty
easy
for
it
to
implement
host
net
policy.
A
A
D
To
be
honest,
I
I
I,
if
you
are
very
similar
to
what
Tran
feel
and
no
this
is
also.
This
is
also
something
that
you
know
when
we
talked
about
I've
been
now
a
policy
we've
been
discussing
upstream
and
in
kubernetes
Upstream.
If
I
remember
correctly,
because
it
has
been,
you
know
a
year
give
or
take
when
we're
still
discussing
the
specifics
of
aluminum
policy
and
if
I
remember
clearly,
you
know
this
was
the
area
where
the
Upstream
kubernetes
people
say
that
we
don't
want
to
touch
this.
So
you
know.
D
A
D
E
B
B
B
E
B
B
D
I,
don't
I,
don't
know
how
that
fall
under
our
radar.
For
some
reason
I
is
there?
Is
there
anything
related
to
you
know
the
status
of
a
policy
also
merge
in
the
recent
releases.
Is
it
on
the
agent
side
where
you
know
when
you
were
working
on
some
OBS,
realization,
statuses
as
well,
that
got
merged
in
recent
releases?
I.
Remember.
D
D
A
D
A
So
before
closing
these
this
meeting,
there
is
a
comment
from
janjun
and
on
the
chart,
as
you
can
read
that
it
might
be
about
the
requirement
to
support
security
policies
on
the
traffic
we
can
probably
according
to
genjun,
we
can
try
and
add
a
new
crd
to
the
differentiate
it
from
Network
policy
for
pod.
So
that's
that's
an
idea
that
we
can
work
on
before
we
finish
today's
meeting.
Is
there
any
other
topic
that
you
would
like
to
bring
up
for
discussion.
A
A
B
Have
once
more
comments
that
I
I
recently
I
found
that
Auckland
is
is
out
of
maintenance
for
a
long
time
and
they
haven't,
they
haven't
upgraded
their
kubernetes
Library
dependency
and
there's
no
release
I
think
that
at
least
for
one
one
year
more
than
one
year,
I
guess
that
project
is
not
in
maintenance
anymore.
So
do
we
want
to
move
to
to
to
move
to
another
visible
software
project
for
triple
flow
or
the
other
future
that
you
see
we
currently
have
with
octant.
A
B
A
A
A
Yeah
I
completely
agree
with
you
that
this
is
something
that
was
actually
I
believe
known
for
a
few
months
already.
So
we
need
to
take
action
on
this
front,
but
I
also
believe
that
we
probably
needed
to
get
the
feedback
from
the
developers
that
have
more
experience
with
the
working
on
the
front
end.
B
E
A
D
A
Three
two
one
zero,
so
it
appears
that
it's
all
for
today,
so
thanks
everyone
for
attending
again
happy
New
Year.
The
next
community
meeting
is
should
be
on
January,
the
17th,
which
is
before
the
Chinese
Spring
Festival
vacation.
So
it
should
be
okay,
but
the
one
after
which
is
on
January,
the
31st
I
think
technically.
This
is
a
a
working
day
in
China,
but
I
know
that
many
many
folks
in
China
tend
to
take
two
weeks
off
around
the
New
Year's
Day.