[openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
Mooney, Sean K
sean.k.mooney at intel.com
Wed Aug 9 15:01:22 UTC 2017
> -----Original Message-----
> From: pranab boruah [mailto:pranabjyotiboruah at gmail.com]
> Sent: Wednesday, August 9, 2017 2:36 PM
> To: OpenStack Development Mailing List (not for usage questions)
> <openstack-dev at lists.openstack.org>
> Subject: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type
> I am experimenting with the os-vif library and stumbled upon this new
> VIF type called VIFHostDevice. I have few general queries. TIA.
> 1. How do I create ports with VIF_type as VIFHostDevice? Looking for
> the CLI command options.
[Mooney, Sean K] hi os-vif vif objects such as VIFHostDevice have no direct correlation
With the neutron port binding extention vif_type or vnic_type. That is to say you
Cannot direcly request VIFHostDevice via the cli by seting a vif_type or vnic_type.
The vif object in os vif are datastuctures that encapluate the common datamodel that
Descibse a specific network interface type. In the case of VIFHostDevice this corresponds
To a sriov VF. This is then paird with a os-vif plugin which encapsulates the port binding logic
For plugging these abstract vif into that specific network backend. This is combined with an
Os vif port profile object which transports any backend specific info that cannot be generically included
Int the os vif vif object. For example vf representor netdev address or a vSwitches bridge name.
> 2. Say, I have OVS running completely on x86 host(no datapath or flow
> offload to
> NIC) as the networking mechanism and a SRIOV capable NIC(for existence
> of VF representors that will be added to the OVS bridge). Can I still
> launch instances with VIF_type as VIFHostDevice?
[Mooney, Sean K] you can launch an instance with that configuration yes however
You will not have any way to manage that vf via ovs. Libvirt would still
Connect the dataplane to the vm via standard host passthrouhg/sriov howver
Applying action to the representor port attached to the ovs bridge such as
Tagging the interface with a vlan or installing openflow rules to fileter the traffic
With the ovs conntrack security group driver would have no effect on dataplane.
> 3. I want to use Security Groups using OVS+Conntrack as the mechanism.
> Can I apply SG rules on the ports of type VIFHostDevice using the above
[Mooney, Sean K] that should work with a melonox or netroneome smart nic with
A ovs that support the tc flower offload if they have implemented conntrack support
But it would not work with a generic nic. That is something that in the future we do intend
To support but at present it requires nic support to enable with conntrack. It may be possible
To use the learn action openflow security group driver if your nic does not support conntrack
For stateless firewalling which is still better then what you have today with sriov but the
Bottome line is you need nic support in hardware/firmware and ovs support for that nic offload to make this work.
> PS: I am still trying to understand this. Hence, I might get my
> premises wrong in the above questions. Will appreciate a detailed
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-
> request at lists.openstack.org?subject:unsubscribe
More information about the OpenStack-dev