subject:"Re\: \[openstack\-dev\] \[neutron\] Deprecating old security groups code \/ RPC."

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

2014-12-04 Thread Brian Haley

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/04/2014 09:50 AM, Kyle Mestery wrote:
> Is ipset support present in all supported distributions?
> 
> 
> It is from Red Hat perspective, not sure Ubuntu, and the others, I think 
> Juno was targeted to ubuntu 14.04 only (which does have ipset kernel 
> support and it’s tool).
> 
> Ipset was in kernel since 2.4.x, but RHEL6/Centos6 didn’t ship the tools
> neither enabled it on kernel (AFAIK).
> 
>> Once we verify Ubuntu's support for ipset (kernel and user tools), I'm +1
>> to this proposal. RHEL/CentOS/Fedora and SuSe look good.

There is ipset support in at least 12.04 and later (packages site shows 10.04
too), so I think Ubuntu is good to go.

- -Brian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJUgIZ7AAoJEIYQqpVulyUovo0H/A9AyJ5j+TfJMUQ0MAX1Hr48
afXF3+vtoKcZ/2oG8Qc+ERW9mQIMeNk3iw+F140Ad9DfH59v3stCuQyF/BBNYCqI
BjQjUcG9sUwFf0gjFAscmeLX9NTqOFn0xbCWjsHsjrhAg5vn3Y6nuwakYfhrQJAK
DRW2iz4/LrKszlNt/+9U3dwft8dmLI2lbGKy6uMkHC74pWSNrjw/MVuxwMgNNV8u
eXRLNQC3wIdaTxx87DXN1APow5UgEpCnyd/zRRonYx+iBMNtHCZqzARCJYgK5QdQ
9ko4WWw7QXMmFxuBUJMFvQZATYiolQVN+sPX0SWHb99JFCufy0aFUDr+rP19dnM=
=ZmnW
-END PGP SIGNATURE-

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

2014-12-04 Thread Kyle Mestery

On Thu, Dec 4, 2014 at 8:40 AM, Miguel Ángel Ajo  wrote:
>
>
> On Thursday, 4 de December de 2014 at 15:19, Ihar Hrachyshka wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Thursday, 4 de December de 2014 at 15:06, Miguel Ángel Ajo
> wrote:
>
>
>
> During Juno, we introduced the enhanced security groups rpc
> (security_groups_info_for_devices) instead of
> (security_group_rules_for_devices), and the ipset functionality
> to offload iptable chains a bit.
>
>
> Here I propose to:
>
> 1) Remove the old security_group_info_for_devices, which was left
> to ease operators upgrade path from I to J (allowing running old
> openvswitch agents as we upgrade)
>
> Doing this we can cleanup the current iptables firewall driver a
> bit from unused code paths.
>
>
> +1.
>
>
> I suppose this would require a major RPC version bump.
>
> 2) Remove the option to disable ipset (now it’s enabled by
> default and seems to be working without problems), and make it an
> standard way to handle “IP” groups from the iptables
> perspective.
>
>
> Is ipset support present in all supported distributions?
>
>
> It is from Red Hat perspective, not sure Ubuntu, and the others, I think
> Juno was targeted to ubuntu 14.04 only (which does have ipset kernel
> support and it’s tool).
>
> Ipset was in kernel since 2.4.x, but RHEL6/Centos6 didn’t ship
> the tools neither enabled it on kernel (AFAIK).
>
Once we verify Ubuntu's support for ipset (kernel and user tools), I'm
+1 to this proposal. RHEL/CentOS/Fedora and SuSe look good.

Thanks,
Kyle

>
>
>
>
> Thoughts?,
>
> Best regards, Miguel Ángel Ajo
>
> ___ OpenStack-dev
> mailing list OpenStack-dev@lists.openstack.org
> 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> ___ OpenStack-dev
> mailing list OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>
> iQEcBAEBCgAGBQJUgG1jAAoJEC5aWaUY1u57aK4H/1G0R0NgURf1l7WCx27VqRDR
> jdFlYzecMk2E6h84Fv5tJgGqAm6mGEFUrLf8MJ9+kDB33Syb+zvxJc9v6CvMw7br
> o+Qjk4lbHiiko1W8kDmq+onjUDHExapTR1+PsSX0HmuEvwV8yrAm/VJyccAAiqB6
> XPrWG4Xft2zEp004/uT9jzJPeW4YhRNY84Sa2C1ghemzKn43QYlu8U3DfuDzfQFP
> 2MjzTwdP1FfBIX0jhXHrMlnHGuuxAscL9v6DM7Np2Iro6ExXK1ry9ex4/NWbdcIY
> sP9MkuA2wAMYE8pN1UM4LwSPg2rpEZEuwJfXyTohshcVHDoyPk81F4Q6R+ABPqM=
> =xzY6
> -END PGP SIGNATURE-
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

2014-12-04 Thread Rossella Sblendido



On 12/04/2014 03:19 PM, Ihar Hrachyshka wrote:
> Is ipset support present in all supported distributions?

SUSE distributions support ipset.

+1 for Miguel Angel's proposal

cheers,

Rossella

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

2014-12-04 Thread Miguel Ángel Ajo



On Thursday, 4 de December de 2014 at 15:19, Ihar Hrachyshka wrote:  
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>  
> > On Thursday, 4 de December de 2014 at 15:06, Miguel Ángel Ajo
> > wrote:
> >  
> > >  
> > >  
> > > During Juno, we introduced the enhanced security groups rpc  
> > > (security_groups_info_for_devices) instead of  
> > > (security_group_rules_for_devices), and the ipset functionality
> > > to offload iptable chains a bit.
> > >  
> > >  
> > > Here I propose to:
> > >  
> > > 1) Remove the old security_group_info_for_devices, which was left
> > > to ease operators upgrade path from I to J (allowing running old
> > > openvswitch agents as we upgrade)
> > >  
> > > Doing this we can cleanup the current iptables firewall driver a
> > > bit from unused code paths.
> > >  
> >  
> >  
>  
>  
> +1.
>  
> > >  
> > > I suppose this would require a major RPC version bump.
> > >  
> > > 2) Remove the option to disable ipset (now it’s enabled by
> > > default and seems to be working without problems), and make it an
> > > standard way to handle “IP” groups from the iptables
> > > perspective.
> > >  
> >  
>  
>  
> Is ipset support present in all supported distributions?
>  

It is from Red Hat perspective, not sure Ubuntu, and the others, I think
Juno was targeted to ubuntu 14.04 only (which does have ipset kernel
support and it’s tool).

Ipset was in kernel since 2.4.x, but RHEL6/Centos6 didn’t ship
the tools neither enabled it on kernel (AFAIK).  

  
>  
> > >  
> > >  
> > > Thoughts?,
> > >  
> > > Best regards, Miguel Ángel Ajo
> > >  
> > > ___ OpenStack-dev
> > > mailing list OpenStack-dev@lists.openstack.org 
> > > (mailto:OpenStack-dev@lists.openstack.org)  
> > >   
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >  
> >  
> >  
> >  
> >  
> > ___ OpenStack-dev
> > mailing list OpenStack-dev@lists.openstack.org 
> > (mailto:OpenStack-dev@lists.openstack.org)  
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >  
>  
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>  
> iQEcBAEBCgAGBQJUgG1jAAoJEC5aWaUY1u57aK4H/1G0R0NgURf1l7WCx27VqRDR
> jdFlYzecMk2E6h84Fv5tJgGqAm6mGEFUrLf8MJ9+kDB33Syb+zvxJc9v6CvMw7br
> o+Qjk4lbHiiko1W8kDmq+onjUDHExapTR1+PsSX0HmuEvwV8yrAm/VJyccAAiqB6
> XPrWG4Xft2zEp004/uT9jzJPeW4YhRNY84Sa2C1ghemzKn43QYlu8U3DfuDzfQFP
> 2MjzTwdP1FfBIX0jhXHrMlnHGuuxAscL9v6DM7Np2Iro6ExXK1ry9ex4/NWbdcIY
> sP9MkuA2wAMYE8pN1UM4LwSPg2rpEZEuwJfXyTohshcVHDoyPk81F4Q6R+ABPqM=
> =xzY6
> -END PGP SIGNATURE-
>  
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org (mailto:OpenStack-dev@lists.openstack.org)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>  
>  


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

2014-12-04 Thread Ihar Hrachyshka

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

> On Thursday, 4 de December de 2014 at 15:06, Miguel Ángel Ajo
> wrote:
> 
>> 
>> 
>> During Juno, we introduced the enhanced security groups rpc 
>> (security_groups_info_for_devices) instead of 
>> (security_group_rules_for_devices), and the ipset functionality
>> to offload iptable chains a bit.
>> 
>> 
>> Here I propose to:
>> 
>> 1) Remove the old security_group_info_for_devices, which was left
>> to ease operators upgrade path from I to J (allowing running old
>> openvswitch agents as we upgrade)
>> 
>> Doing this we can cleanup the current iptables firewall driver a
>> bit from unused code paths.
>> 

+1.

>> 
>> I suppose this would require a major RPC version bump.
>> 
>> 2) Remove the option to disable ipset (now it’s enabled by
>> default and seems to be working without problems), and make it an
>> standard way to handle “IP” groups from the iptables
>> perspective.

Is ipset support present in all supported distributions?

>> 
>> 
>> Thoughts?,
>> 
>> Best regards, Miguel Ángel Ajo
>> 
>> ___ OpenStack-dev
>> mailing list OpenStack-dev@lists.openstack.org 
>>  
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>> 
> 
> 
> ___ OpenStack-dev
> mailing list OpenStack-dev@lists.openstack.org 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQEcBAEBCgAGBQJUgG1jAAoJEC5aWaUY1u57aK4H/1G0R0NgURf1l7WCx27VqRDR
jdFlYzecMk2E6h84Fv5tJgGqAm6mGEFUrLf8MJ9+kDB33Syb+zvxJc9v6CvMw7br
o+Qjk4lbHiiko1W8kDmq+onjUDHExapTR1+PsSX0HmuEvwV8yrAm/VJyccAAiqB6
XPrWG4Xft2zEp004/uT9jzJPeW4YhRNY84Sa2C1ghemzKn43QYlu8U3DfuDzfQFP
2MjzTwdP1FfBIX0jhXHrMlnHGuuxAscL9v6DM7Np2Iro6ExXK1ry9ex4/NWbdcIY
sP9MkuA2wAMYE8pN1UM4LwSPg2rpEZEuwJfXyTohshcVHDoyPk81F4Q6R+ABPqM=
=xzY6
-END PGP SIGNATURE-

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

2014-12-04 Thread Miguel Ángel Ajo


Sorry, adding [neutron] to the subject.

Miguel Ángel Ajo


On Thursday, 4 de December de 2014 at 15:06, Miguel Ángel Ajo wrote:

>  
>  
> During Juno, we introduced the enhanced security groups rpc 
> (security_groups_info_for_devices) instead of 
> (security_group_rules_for_devices),  
> and the ipset functionality to offload iptable chains a bit.
>  
>  
> Here I propose to:
>  
> 1) Remove the old security_group_info_for_devices, which was left to ease 
> operators upgrade  
> path from I to J (allowing running old openvswitch agents as we upgrade)
>  
> Doing this we can cleanup the current iptables firewall driver a bit from 
> unused code paths.
>  
>  
> I suppose this would require a major RPC version bump.
>  
> 2) Remove the option to disable ipset (now it’s enabled by default and seems  
> to be working without problems), and make it an standard way to handle “IP” 
> groups  
> from the iptables perspective.
>  
>  
> Thoughts?,
>  
> Best regards,
> Miguel Ángel Ajo
>  
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org (mailto:OpenStack-dev@lists.openstack.org)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>  
>  


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

Re: [openstack-dev] [neutron] Deprecating old security groups code / RPC.

6 matches

Site Navigation

Mail list logo

Footer information