5:26 a.m.
Hello,
1) we just don't need it, we are using the provider network which includes
hardware firewalls.
2) We have huge performance problems regarding TCP_CRR / TCP_RR. The
OpenStack VMs can deal just half of TCP connections per second compared to
our bare metal installations. Throughput (10Gbit NIC) is fine though. Specs
VMs and bare metal are of course equal (RAM, Cores, etc.)
Did a lot of testing regarding the performance issues, it happens "after"
the both (br-int/br-ex) openvswitches. Upgraded ovs to version 2.3 just fyi.
Cheers
Chris
-----Original Message-----
From: rdo-list-bounces(a)redhat.com [mailto:rdo-list-bounces@redhat.com] On
Behalf Of Ihar Hrachyshka
Sent: Wednesday, October 29, 2014 16:51
To: rdo-list(a)redhat.com
Subject: Re: [Rdo-list] Compute Node without firewall (iptables) and Linux
bridge
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 29/10/14 09:33, Chris wrote:
Hello
I?m looking for a way to disable any firewall feature in one of our
compute nodes and prevent the creation of the Linux bridge in the data
path inside of this compute node.
Can you elaborate on reasons to disable it? Of course it sounds a bit not
optimal, but do you have any performance concerns that you try to address in
this way?
We using the RDO Icehouse release.
Here is the configuration in the compute node:
#/etc/neutron/plugin.ini
[securitygroup]
#firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
firewall_driver = neutron.agent.firewall.NoopFirewall
# enable_security_group = True
enable_security_group = False
#/etc/nova/nova.conf
firewall_driver = nova.virt.firewall.NoopFirewallDriver
#security_group_api = neutron
#/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[securitygroup]
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
enable_security_group = False
The firewall seems to be disabled but the bridge and the interfaces
are being still created.
I found an older post about it:
http://lists.openstack.org/pipermail/openstack/2014-May/007079.html
But changing ?portbindings.OVS_HYBRID_PLUG" from a hard-coded "True"
to "False" didn?t change anything.
Please advise!
Cheers
Chris
_______________________________________________ Rdo-list mailing list
Rdo-list(a)redhat.com https://www.redhat.com/mailman/listinfo/rdo-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUULidAAoJEC5aWaUY1u57NhEIAJQ4GP+SdJ9TJOQ3AeyMhhit
itqXiwunBQBD5Y5NXtXHzYPxA7r5+nj/ZJLkz8lWXEgf6e7vl5RbOTLxrA1B3pqU
vWppW/jK5RHbMxNqoV0pL/z+HVhxrHeXRO/hbFzQxIyLO1IPkOlENzA5oBuOJtoF
t/cvA0LUfc8uDE21MTS0XFjpwAoLIYj244J6+vCwv2AmwxvU+34D04YvGzfIoXm1
wVDXFItGjT52Lp2+ASdc38lzGOxc/5jXwE4XT4ZXWRTTx6iG8yJ6VXLrZf+915hF
8AJT0MIlTB+LYZ/YntTUtoVxYyJEIfvcblR6l8JTo1iGwSlDpVGvo4h4C82iQu4=
=MoUk
-----END PGP SIGNATURE-----
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list