<div dir="ltr"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">Édouard:</span><br><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br>
</span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">I didn't realize that there's a Linux software bridge inolved when security groups are enabled.</span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">However, this doesn't really answer my original question. I asked about the fact that there seemed to be two openvswitch bridges that packets have to cross to get from the virtual interface (say, vnet0) to the physical interface (say, eth2) on the host, assuming the openvswitch plugin and using vlan for transport.</span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">vnet0 <--> br-int <--> br-eth2 <--> eth2.</span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br>
</span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">Based on your answer, I see that there are actually three bridges that packets have to traverse when using security groups:</span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">vnet0 <--> qbr???? <--> br-int <--> br-eth2 <--> eth2</span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">Is this view correct? If so, is there a performance penalty (e.g., increased latency, reduced bandwidth) for having to cross two Open vSwitch bridges: br-int and br-eth2? </span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">If there is a penalty, I was curious as to whether this splitting into two bridges was done because it isn't possible to implement the desired functionality using a single openvswitch bridge, or if there was some other reason why it was split out into two (e.g., to simplify the implementation).</span></div>
<div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px">Lorin</span></div>
<div style><br></div><div style><br></div><div style><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12.727272033691406px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, May 7, 2013 at 2:38 AM, Édouard Thuleau <span dir="ltr"><<a href="mailto:thuleau@gmail.com" target="_blank">thuleau@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><font face="arial, helvetica, sans-serif" color="#000000"><span style="line-height:21px">OVS is not compatible with iptables + ebtables rules that are applied directly on VIF ports.</span><br>
</font><div><font face="arial, helvetica, sans-serif" color="#000000"><span style="line-height:21px">So the </span>libvirt_vif_driver<span style="line-height:21px"> '</span>nova.virt.libvirt.vif.LibvirtHybirdOVSBridgeDriver' create a Linux software bridge to be able to apply security group rules with iptables.</font></div>
<div><font face="arial, helvetica, sans-serif" color="#000000"><br></font></div><div><font face="arial, helvetica, sans-serif" color="#000000">If you don't need the security group functionalities, you can use libvirt_vif_driver '<span style="line-height:18px">nova.virt.libvirt.vif.LibvirtOpenVswitchVirtualPortDriver' or '</span><span style="line-height:18px">nova.virt.libvirt.vif.LibvirtOpenVswitchDriver' (depends on your libvirt version). </span><a href="http://docs.openstack.org/trunk/openstack-network/admin/content/nova_with_quantum_vifplugging_ovs.html" target="_blank">http://docs.openstack.org/trunk/openstack-network/admin/content/nova_with_quantum_vifplugging_ovs.html</a></font></div>
<div><font face="arial, helvetica, sans-serif" color="#000000"><br></font></div><div class="gmail_extra"><font face="arial, helvetica, sans-serif" color="#000000">
I think this point must be listed in the limitations page of the OpenStack Networking Admin guide <a href="http://docs.openstack.org/grizzly/openstack-network/admin/content/ch_limitations.html" target="_blank">http://docs.openstack.org/grizzly/openstack-network/admin/content/ch_limitations.html</a></font></div>
<div class="gmail_extra"><font face="arial, helvetica, sans-serif" color="#000000"><br></font></div><div class="gmail_extra"><font face="arial, helvetica, sans-serif" color="#000000">Édouard.</font><br><br><div class="gmail_quote">
<div><div class="h5">
On Tue, May 7, 2013 at 2:46 AM, Lorin Hochstein <span dir="ltr"><<a href="mailto:lorin@nimbisservices.com" target="_blank">lorin@nimbisservices.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div class="h5">
<div dir="ltr">I'm trying to wrap my head around how Quantum works. If understanding things correctly, when using the openvswitch plugin, a packet traveling from a guest out to the physical switch has to cross two software bridges: <div>
<br></div><div>1. br-int</div><div>2. br-ethN or br-tun (depending on whether using VLANs or GRE tunnels)</div><div><br></div><div>So, I think I understand the motivation behind this: the integration bridge handles the rules associated with the virtual networks defined by OpenStack users, and the (br-ethN | br-tun) bridge handles the rules associated with moving the packets across the physical network.</div>
<div><br></div><div>My question is: Does having two software bridges in the path incur a larger network performance penalty than if there was only a single software bridge between the VIF and the physical network interface?</div>
<div><div><br></div><div>If so, was Quantum implemented this way because it's simply not possible to achieve the desired functionality using a single openvswitch bridge, or was it because using the dual-bridge approach simplified the implementation, or was there some other reason?</div>
<span><font color="#888888">
<div><br></div><div>Lorin</div><div>-- <br><div dir="ltr">Lorin Hochstein<br><div>Lead Architect - Cloud Services</div><div>Nimbis Services, Inc.</div><div><a href="http://www.nimbisservices.com" target="_blank">www.nimbisservices.com</a></div>
</div>
</div></font></span></div></div>
<br></div></div>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Lorin Hochstein<br><div>Lead Architect - Cloud Services</div><div>Nimbis Services, Inc.</div><div><a href="http://www.nimbisservices.com" target="_blank">www.nimbisservices.com</a></div>
</div>
</div>