[openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk

Mooney, Sean K sean.k.mooney at intel.com
Tue Aug 16 11:13:53 UTC 2016



> -----Original Message-----
> From: Assaf Muller [mailto:assaf at redhat.com]
> Sent: Monday, August 15, 2016 2:50 PM
> To: OpenStack Development Mailing List (not for usage questions)
> <openstack-dev at lists.openstack.org>
> Cc: Mooney, Sean K <sean.k.mooney at intel.com>
> Subject: Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack
> security group driver with ovs-dpdk
> 
> + Jakub.
> 
> On Wed, Aug 10, 2016 at 9:54 AM,
> <Kostiantyn.Volenbovskyi at swisscom.com> wrote:
> > Hi,
> >> [Mooney, Sean K]
> >> In ovs 2.5 only linux kernel conntrack was supported assuming you
> had
> >> a 4.x kernel that supported it. that means that the feature was not
> >> available on bsd,windows or with dpdk.
> > Yup, I also thought about something like that.
> > I think I was at-least-slightly misguided by
> > http://docs.openstack.org/draft/networking-guide/adv-config-
> ovsfwdrive
> > r.html
> > and there is currently a statement
> > "The native OVS firewall implementation requires kernel and user
> space support for conntrack, thus requiring minimum versions of the
> Linux kernel and Open vSwitch. All cases require Open vSwitch version
> 2.5 or newer."
> 
> I agree, that statement is misleading.
[Mooney, Sean K] the 2.6 branch now exists so it is probably ok to refer to
2.6 now. https://github.com/openvswitch/ovs/commits/branch-2.6
The release should be made ~ September 15th
https://github.com/openvswitch/ovs/blob/797dad21566fecc60de3ce6f93c81ad55a61fe86/Documentation/release-process.md#release-scheduling
which will be before then next openstack release.
if you would like I can update the networking guide to refect the change in ovs.

> 
> >
> > Do you agree that this is something to change? I think it is not OK
> to state OVS 2.6 without that being released, but in case I am not
> confusing then:
> > -OVS firewall driver with OVS that uses kernel datapath requires OVS
> > 2.5 and Linux kernel 4.3 -OVS firewall driver with OVS that uses
> > userspace datapath with DPDK (aka ovs-dpdk  aka DPDK vhost-user aka
> netdev datapath) doesn't have a Linux kernel prerequisite That is
> documented in table in " ### Q: Are all features available with all
> datapaths?":
> > http://openvswitch.org/support/dist-docs/FAQ.md.txt
> > where currently 'Connection tracking' row says 'NO' for 'Userspace' -
> > but that's exactly what has been merged recently /to become feature
> of
> > OVS 2.6
> >
> > Also when it comes to performance I came across
> > http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I
> would guess that devil could be the exact flows/ct actions that will be
> present in real-life scenario.
> >
> >
> > BR,
> > Konstantin
> >
> >
> >> -----Original Message-----
> >> From: Mooney, Sean K [mailto:sean.k.mooney at intel.com]
> >> Sent: Tuesday, August 09, 2016 2:29 PM
> >> To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC
> >> <Kostiantyn.Volenbovskyi at swisscom.com>; openstack-
> >> dev at lists.openstack.org
> >> Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk]
> conntrack
> >> security group driver with ovs-dpdk
> >>
> >>
> >> > -----Original Message-----
> >> > From: Kostiantyn.Volenbovskyi at swisscom.com
> >> > [mailto:Kostiantyn.Volenbovskyi at swisscom.com]
> >> > Sent: Tuesday, August 9, 2016 12:58 PM
> >> > To: openstack-dev at lists.openstack.org; Mooney, Sean K
> >> > <sean.k.mooney at intel.com>
> >> > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk]
> >> > conntrack security group driver with ovs-dpdk
> >> >
> >> > Hi,
> >> > (sorry for using incorrect threading)
> >> >
> >> > > > About 2 weeks ago I did some light testing with the conntrack
> >> > > > security group driver and the newly
> >> > > >
> >> > > > Merged upserspace conntrack support in ovs.
> >> > > >
> >> > By 'recently' - whether you mean patch v4
> >> > http://openvswitch.org/pipermail/dev/2016-June/072700.html
> >> > or you used OVS 2.5 itself (which I think includes v2 of the same
> >> > patch series)?
> >> [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-
> >> June/072700.html or specifically i used the following commit
> >>
> https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c
> >> 3
> >> 6e8a6e846669
> >> which is just after userspace conntrack was merged,
> >> >
> >> > So in general - I am a bit confused about conntrack support in
> OVS.
> >> >
> >> > OVS 2.5 release notes
> >> > http://openvswitch.org/pipermail/announce/2016-
> >> > February/000081.html state:
> >> > "This release includes the highly anticipated support for
> >> > connection tracking in the Linux kernel.  This feature makes it
> >> > possible to implement stateful firewalls and will be the basis for
> >> > future stateful features such as NAT and load-balancing.  Work is
> >> > underway to bring connection tracking to the userspace datapath
> >> > (used by DPDK) and the port to Hyper-V."  - in the way that 'work
> >> > is underway' (=work is
> >> > ongoing) means that a time of OVS 2.5 release the feature was not
> >> > 'classified' as ready?
> >> [Mooney, Sean K]
> >> In ovs 2.5 only linux kernel conntrack was supported assuming you
> had
> >> a 4.x kernel that supported it. that means that the feature was not
> >> available on bsd,windows or with dpdk.
> >>
> >> In the upcoming ovs 2.6 release conntrack support has been added to
> >> the Netdev datapath which is used with dpdk and on bsd. As far as I
> >> am aware windows conntrack support is still Missing but I may be
> wrong.
> >>
> >> If you are interested the devstack local.conf I used to test that it
> >> functioned is available here http://paste.openstack.org/show/552434/
> >>
> >> I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces
> >> to do the testing.
> >>
> >>
> >> >
> >> >
> >> > BR,
> >> > Konstantin
> >> >
> >> >
> >> >
> >> > > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K
> >> > <sean.k.mooney at intel.com>
> >> > > wrote:
> >> > > > Hi just a quick fyi,
> >> > > >
> >> > > > About 2 weeks ago I did some light testing with the conntrack
> >> > security
> >> > > > group driver and the newly
> >> > > >
> >> > > > Merged upserspace conntrack support in ovs.
> >> > > >
> >> > > >
> >> > > >
> >> > > > I can confirm that at least form my initial smoke tests where
> I
> >> > > >
> >> > > > Uses netcat ping and ssh to try and establish connections
> >> > > > between
> >> > two
> >> > > > vms the
> >> > > >
> >> > > > Conntrack security group driver appears to function correctly
> >> > > > with
> >> > the
> >> > > > userspace connection tracker.
> >> > > >
> >> > > >
> >> > > >
> >> > > > We have not looked at any of the performance yet but assuming
> >> > > > it is
> >> > at
> >> > > > an acceptable level I am planning to
> >> > > >
> >> > > > Deprecate the learn action based driver in networking-ovs-dpdk
> >> > > > and remove it once  we have cut the stable newton
> >> > > >
> >> > > > Branch.
> >> > > >
> >> > > >
> >> > > >
> >> > > > We hope to do some rfc 2544 throughput testing to evaluate the
> >> > > > performance sometime mid-September.
> >> > > >
> >> > > > Assuming all goes well I plan on enabling the conntrack based
> >> > security
> >> > > > group driver by default when the
> >> > > >
> >> > > > Networking-ovs-dpdk devstack plugin is loaded. We will also
> >> > evaluate
> >> > > > enabling the security group tests
> >> > > >
> >> > > > In our third party ci to ensure it continues to function
> >> > > > correctly with ovs-dpdk.
> >> > > >
> >> > > >
> >> > > >
> >> > > > Regards
> >> > > >
> >> > > > Seán
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > >
> >> _________________________________________________________________
> >> > > _____
> >> > > > ____ OpenStack Development Mailing List (not for usage
> >> > > > questions)
> >> > > > Unsubscribe:
> >> > > > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-
> d
> >> > > > ev
> >> > > >
> >> > >
> >> > >
> >> _________________________________________________________________
> >> > > _________
> >> > > OpenStack Development Mailing List (not for usage questions)
> >> > > Unsubscribe: OpenStack-dev-
> >> > request at lists.openstack.org?subject:unsubscribe
> >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-
> dev
> >
> ______________________________________________________________________
> > ____ OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


More information about the OpenStack-dev mailing list