[Rdo-list] Compute Node without firewall (iptables) and Linux bridge
Chris
contact at progbau.de
Wed Oct 29 10:26:15 UTC 2014
Hello,
1) we just don't need it, we are using the provider network which includes
hardware firewalls.
2) We have huge performance problems regarding TCP_CRR / TCP_RR. The
OpenStack VMs can deal just half of TCP connections per second compared to
our bare metal installations. Throughput (10Gbit NIC) is fine though. Specs
VMs and bare metal are of course equal (RAM, Cores, etc.)
Did a lot of testing regarding the performance issues, it happens "after"
the both (br-int/br-ex) openvswitches. Upgraded ovs to version 2.3 just fyi.
Cheers
Chris
-----Original Message-----
From: rdo-list-bounces at redhat.com [mailto:rdo-list-bounces at redhat.com] On
Behalf Of Ihar Hrachyshka
Sent: Wednesday, October 29, 2014 16:51
To: rdo-list at redhat.com
Subject: Re: [Rdo-list] Compute Node without firewall (iptables) and Linux
bridge
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 29/10/14 09:33, Chris wrote:
> Hello
>
>
>
> I?m looking for a way to disable any firewall feature in one of our
> compute nodes and prevent the creation of the Linux bridge in the data
> path inside of this compute node.
Can you elaborate on reasons to disable it? Of course it sounds a bit not
optimal, but do you have any performance concerns that you try to address in
this way?
>
> We using the RDO Icehouse release.
>
>
>
> Here is the configuration in the compute node:
>
> #/etc/neutron/plugin.ini
>
> [securitygroup]
>
> #firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> firewall_driver = neutron.agent.firewall.NoopFirewall
>
> # enable_security_group = True
>
> enable_security_group = False
>
>
>
> #/etc/nova/nova.conf
>
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> #security_group_api = neutron
>
>
>
> #/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
>
> [securitygroup]
>
> firewall_driver = neutron.agent.firewall.NoopFirewallDriver
>
> enable_security_group = False
>
>
>
> The firewall seems to be disabled but the bridge and the interfaces
> are being still created.
>
> I found an older post about it:
> http://lists.openstack.org/pipermail/openstack/2014-May/007079.html
>
> But changing ?portbindings.OVS_HYBRID_PLUG" from a hard-coded "True"
> to "False" didn?t change anything.
>
>
>
> Please advise!
>
>
>
> Cheers
>
> Chris
>
>
>
>
>
> _______________________________________________ Rdo-list mailing list
> Rdo-list at redhat.com https://www.redhat.com/mailman/listinfo/rdo-list
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUULidAAoJEC5aWaUY1u57NhEIAJQ4GP+SdJ9TJOQ3AeyMhhit
itqXiwunBQBD5Y5NXtXHzYPxA7r5+nj/ZJLkz8lWXEgf6e7vl5RbOTLxrA1B3pqU
vWppW/jK5RHbMxNqoV0pL/z+HVhxrHeXRO/hbFzQxIyLO1IPkOlENzA5oBuOJtoF
t/cvA0LUfc8uDE21MTS0XFjpwAoLIYj244J6+vCwv2AmwxvU+34D04YvGzfIoXm1
wVDXFItGjT52Lp2+ASdc38lzGOxc/5jXwE4XT4ZXWRTTx6iG8yJ6VXLrZf+915hF
8AJT0MIlTB+LYZ/YntTUtoVxYyJEIfvcblR6l8JTo1iGwSlDpVGvo4h4C82iQu4=
=MoUk
-----END PGP SIGNATURE-----
_______________________________________________
Rdo-list mailing list
Rdo-list at redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
More information about the dev
mailing list