[Rdo-list] Compute Node without firewall (iptables) and Linux bridge

Chris contact at progbau.de
Wed Nov 19 10:44:39 UTC 2014 

Hello

Sure, its actually part of the documentation:
http://docs.openstack.org/havana/install-guide/install/apt/content/figures/7/a/common/figures/UseCase-MultiFlat.png



On 2014-11-12 17:50, Miguel Angel wrote:
> Hmm, interesting, can you share a diagram of your topology?
> (just curious) :)
> 
> Greetings!!,
> 
> ---
> irc: ajo / mangelajoMiguel Angel Ajo Pelayo
> +34 636 52 25 69
> skype: ajoajoajo
> 
> 2014-11-12 9:19 GMT+01:00 Chris <contact at progbau.de>:
> 
>> Hello Miguele,
>> 
>> thanks for your input!
>> 
>> We avoided VXLAN/GRE, we use multi-flat provider network, so each
>> compute node traffic going directly to the provider network without
>> neutron routers in between.
>> 
>> Cheers
>> Chris
>> 
>> On 2014-11-11 14:21, Miguel Angel wrote:
>> Hi Chris, 
>> 
>> If you care a lot about performance, try to make sure that you
>> either:
>> 
>> a) Increase MTU on all your tunneling interfaces to avoid
>> fragmentation.
>> 
>> or
>> 
>> b) work with VLANs instead of VXLAN/GRE.
>> 
>> Best regards.
>> Miguel Ángel.
>> 
>> ---
>> irc: ajo / mangelajoMiguel Angel Ajo Pelayo
>> 
>> +34 636 52 25 69 [1]
>> skype: ajoajoajo
>> 
>> 2014-11-11 4:24 GMT+01:00 Chris <contact at progbau.de>:
>> 
>> Hello Ihar,
>> 
>> Thanks for taking care of this! Let's hope the backport for
>> Icehouse will be
>> available soon.
>> We will use it in our setup!
>> 
>> Cheers
>> Chris
>> 
>> -----Original Message-----
>> From: rdo-list-bounces at redhat.com
>> [mailto:rdo-list-bounces at redhat.com] On
>> Behalf Of Ihar Hrachyshka
>> Sent: Monday, November 10, 2014 17:53
>> To: rdo-list at redhat.com
>> Subject: Re: [Rdo-list] Compute Node without firewall (iptables)
>> and Linux
>> bridge
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> 
>> Hey,
>> 
>> I've looked closer into the issue. Indeed, neutron does not send
>> proper VIF
>> details flags to disable hybrid bridging on nova side. The issue
>> was fixed
>> with the following patch in master:
>> 
>> - - https://review.openstack.org/#/c/104240/ [2] [1]
>> 
>> I've requested a backport for the patch for Icehouse and Juno:
>> 
>> - - https://review.openstack.org/133421 [3] [2] (Icehouse)
>> - - https://review.openstack.org/132759 [4] [3] (Juno)
>> 
>> We'll need to wait for the patch to be merged in corresponding
>> branches and
>> be released to reach RDO repos though. So if you're keen to get the
>> functionality ASAP, you can apply the patch to your setup in the
>> meantime.
>> 
>> Cheers,
>> /Ihar
>> 
>> On 30/10/14 13:32, Ihar Hrachyshka wrote:
>> Do you use monolithic OVS plugin or ML2 mechanism? If the latter,
>> then
>> the file is not involved, and you should instead try to change
>> the
>> value in:
> 
>  /usr/lib/python2.6/site-packages/neutron/plugins/ml2/drivers/mech_open
> 
>>> vswitch.py
>>> 
>>>   That said, removal of .py file is not enough to make sure it's
>> not
>> 
>>> involved since .pyc file is still there and is used when there is
>> no
>> .py counterpart.
>> 
>> On 30/10/14 11:56, Chris wrote:
>> I just found out that the file in the compute node:
> 
>  /usr/lib/python2.6/site-packages/neutron/plugins/openvswitch/ovs_neut
> 
>> ron_plu
>> 
>> gin.py
>> where I edit the portbindings.OVS_HYBRID_PLUG doesn't has any
>  effect.
> 
>>> I even can delete the whole file, the bridge is still being
>  created
> 
>>> and everything works normal.
>> 
>>> Where I can edit the code to prevent the bridge creation?
>> 
>>> Cheers Chris
>> 
>>> -----Original Message----- From: Chris
>  [mailto:contact at progbau.de]
> 
>>> Sent: Thursday, October 30, 2014
>>> 01:28 To: 'Ihar Hrachyshka'; 'rdo-list at redhat.com' Subject: RE:
>>> [Rdo-list] Compute Node without firewall (iptables) and Linux
>  bridge
> 
>>> What do you mean with re-plugged? During my testing I always
>  delete
> 
>>> and create new Instances and every time the Linux
>>> bridge+interfaces gets deleted and created as well.
>> 
>>> Cheers Chris
>> 
>>> -----Original Message----- From: Ihar Hrachyshka
>>> [mailto:ihrachys at redhat.com] Sent: Thursday, October 30, 2014
>>> 00:04 To: Chris; rdo-list at redhat.com Subject: Re: [Rdo-list]
>  Compute
> 
>>> Node without firewall (iptables) and Linux bridge
>> 
>>> Have you replugged your instances? VIF objects are persisted in
>  db, I
> 
>>> guess with flags including the one that control whether a bridge
>>> should be created.
>> 
>>> Do you still see those bridges created for new instances?
>> 
>>> /Ihar
>> 
>> On 29/10/14 11:26, Chris wrote:
>> Hello,
> 
>>> 1) we just don't need it, we are using the provider network
>  which
> 
>> includes hardware firewalls. 2) We have huge performance
>  problems
> 
>> regarding TCP_CRR / TCP_RR. The OpenStack VMs can deal just
>  half of
> 
>> TCP connections per second compared to our bare metal
>  installations.
> 
>> Throughput (10Gbit NIC) is fine though. Specs VMs and bare
>  metal are
> 
>> of course equal (RAM, Cores, etc.)
> 
>>> Did a lot of testing regarding the performance issues, it
>  happens
> 
>> "after" the both (br-int/br-ex) openvswitches. Upgraded ovs to
>> version 2.3 just fyi.
> 
>>> Cheers Chris
> 
>>> -----Original Message----- From: rdo-list-bounces at redhat.com
>>> [mailto:rdo-list-bounces at redhat.com] On Behalf Of Ihar
>  Hrachyshka
> 
>> Sent: Wednesday, October 29, 2014 16:51 To:
>> rdo-list at redhat.com Subject: Re: [Rdo-list] Compute Node
>  without
> 
>> firewall (iptables) and Linux bridge
> 
>> On 29/10/14 09:33, Chris wrote:
>> Hello
> 
>> I?m looking for a way to disable any firewall feature in one
>  of our
> 
>> compute nodes and prevent the creation of the Linux bridge in
>  the
> 
>> data path inside of this compute node.
> 
>>> Can you elaborate on reasons to disable it? Of course it sounds
>  a
> 
>> bit not optimal, but do you have any performance concerns that
>  you
> 
>> try to address in this way?
> 
>> We using the RDO Icehouse release.
> 
>> Here is the configuration in the compute node:
> 
>> #/etc/neutron/plugin.ini
> 
>> [securitygroup]
> 
>> #firewall_driver =
>  neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriv
> 
>> er
> 
>>   firewall_driver = neutron.agent.firewall.NoopFirewall
> 
>> # enable_security_group = True
> 
>> enable_security_group = False
> 
>> #/etc/nova/nova.conf
> 
>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
> 
>> #security_group_api = neutron
> 
>> #/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
> 
>> [securitygroup]
> 
>> firewall_driver = neutron.agent.firewall.NoopFirewallDriver
> 
>> enable_security_group = False
> 
>> The firewall seems to be disabled but the bridge and the
>  interfaces
> 
>> are being still created.
> 
>> I found an older post about it:
>  http://lists.openstack.org/pipermail/openstack/2014-May/007079.html
> [6]
>  [4]
> 
>>   But changing ?portbindings.OVS_HYBRID_PLUG" from a
>  hard-coded
> 
>> "True" to "False" didn?t change anything.
> 
>> Please advise!
> 
>> Cheers
> 
>> Chris
> 
>> _______________________________________________ Rdo-list
>  mailing
> 
>> list Rdo-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rdo-list [5] [5]
> 
>>> _______________________________________________ Rdo-list
>  mailing
> 
>> list Rdo-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rdo-list [5] [5]
> 
>  _______________________________________________ Rdo-list mailing
>  list
> 
>> Rdo-list at redhat.com
>  https://www.redhat.com/mailman/listinfo/rdo-list [5] [5]
> 
>> 
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> 
>  iQEcBAEBCgAGBQJUYJkAAAoJEC5aWaUY1u57WZkIAII4LUJWK1dMh1BCM+fnZrJl
>  wKsNXNs7kgIT4rmStz2UsNo6m+nwnwT+OM36Jigi4N7XZEDLMOvujx27Efd3o6M7
>  F1Tl3Ld/To4te0Ayvd1CF+xV6jW6u/NegSrPSeT7edosi8cBeFlOdh3F5NN6lyJe
>  c6LDspyCh8thX71bSlswMK4uHMlX4N856197r3/tuWpDPcRRy9g9n9+wF0avV3pv
>  j8sf2zZupyR54xJbNdjAbOp/qwBmAEeFG+dapWYg5IvMcfH0g9eatbfGRegEb2XU
>  F5AA0q/yve36FCG5FSZFVZLApwpIp5i4u2Dl7pygSUT5UdY9rsxVsHQhs8DlSkw=
>  =DpTW
>  -----END PGP SIGNATURE-----
> 
>  _______________________________________________
>  Rdo-list mailing list
>  Rdo-list at redhat.com
>  https://www.redhat.com/mailman/listinfo/rdo-list [5] [5]
> 
>  _______________________________________________
>  Rdo-list mailing list
>  Rdo-list at redhat.com
>  https://www.redhat.com/mailman/listinfo/rdo-list [5] [5]
> 
>  Links:
>  ------
>  [1] https://review.openstack.org/#/c/104240/ [2]
>  [2] https://review.openstack.org/133421 [3]
>  [3] https://review.openstack.org/132759 [4]
>  [4]
> http://lists.openstack.org/pipermail/openstack/2014-May/007079.html
> [6]
>  [5] https://www.redhat.com/mailman/listinfo/rdo-list [5]
> 
> 
> 
> Links:
> ------
> [1] tel:%2B34%20636%2052%2025%2069
> [2] https://review.openstack.org/#/c/104240/
> [3] https://review.openstack.org/133421
> [4] https://review.openstack.org/132759
> [5] https://www.redhat.com/mailman/listinfo/rdo-list
> [6] http://lists.openstack.org/pipermail/openstack/2014-May/007079.html

More information about the dev mailing list