<div dir="ltr">I want to add that I'm not using the NoopFirewall as I'm using agent_required = False. So all instances that are not using SRIOV can still use security groups like normal. Instances that are using SRIOV won't have security groups applied though. </div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 20, 2015 at 3:21 PM, Moshe Levi <span dir="ltr"><<a href="mailto:moshele@mellanox.com" target="_blank">moshele@mellanox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
> -----Original Message-----<br>
> From: Andreas Scheuring [mailto:<a href="mailto:scheuran@linux.vnet.ibm.com">scheuran@linux.vnet.ibm.com</a>]<br>
> Sent: Monday, July 20, 2015 10:04 AM<br>
> To: Moshe Levi<br>
</span><span class="">> Cc: Sam Stoelinga; <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Subject: Re: [Openstack] [Neutron][SRIOV][docs] Enabling SRIOV on<br>
> OpenStack Juno step-by-step guide<br>
><br>
</span><span class="">> +1 for updating the wiki<br>
> +1 for adding a section to the docs<br>
><br>
><br>
> Moshe,<br>
> what about the firewall support Sam mentioned? I assume fwaas is<br>
> supported, as it runs on the network node which uses ovs, but Security<br>
> Groups are not working as you're using the NoopFirewallDriver, right?<br>
</span>Yes that is correct. I will update that as well in the wiki.<br>
<div class="HOEnZb"><div class="h5"><br>
> Or is there another FW driver that could be used?<br>
><br>
> Thanks<br>
><br>
><br>
><br>
> On So, 2015-07-19 at 08:12 +0000, Moshe Levi wrote:<br>
> > See my comments inline<br>
> ><br>
> ><br>
> ><br>
> > From: Sam Stoelinga [mailto:<a href="mailto:sammiestoel@gmail.com">sammiestoel@gmail.com</a>]<br>
> > Sent: Sunday, July 19, 2015 10:37 AM<br>
> > To: Moshe Levi<br>
> > Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> > Subject: Re: [Openstack] [Neutron][SRIOV][docs] Enabling SRIOV on<br>
> > OpenStack Juno step-by-step guide<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > I think it was not fair to say it's not up to date. It seems it's up<br>
> > to date, but current downsides of existing OpenStack wikis on SRIOV<br>
> > are missing info, many different Wikis and hard to consume the info:<br>
> ><br>
> ><br>
> > 1. <a href="https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking</a><br>
> ><br>
> ><br>
> > 2. <a href="https://wiki.openstack.org/wiki/Nova-neutron-sriov" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/Nova-neutron-sriov</a><br>
> ><br>
> ><br>
> > 3. <a href="https://wiki.openstack.org/wiki/PCI_passthrough_SRIOV_support" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/PCI_passthrough_SRIOV_support</a><br>
> ><br>
> ><br>
> > 4. <a href="https://wiki.openstack.org/wiki/Pci_passthrough" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/Pci_passthrough</a><br>
> ><br>
> ><br>
> ><br>
> > [ML] – I think the only wiki users should be using is<br>
> > <a href="https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking</a><br>
> > [2],[3] are the blueprints and [4] is PCI-Pass-through without SR-IOV<br>
> > and it refer to [1] which is good.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Things that I noticed that were missing / could be better:<br>
> ><br>
> ><br>
> > 1. Adding PCIDeviceFilter to nova-scheduler<br>
> ><br>
> > [ML] I think you mean the PciPassthroughFilter and you are correct indeed<br>
> it is missing. I will update the wiki.<br>
> > 2. How to enable VFs on compute nodes<br>
> ><br>
> > [ML] – This vendor specific but we can add links to vendor wiki page<br>
> > on how to configure their NIC to support SR-IOV<br>
> ><br>
> ><br>
> > 3. This wiki: <a href="https://wiki.openstack.org/wiki/Nova-neutron-sriov" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/Nova-neutron-sriov</a><br>
> > contains incorrect information.<br>
> ><br>
> ><br>
> > Current wrong: "neutron port-create <net-uuid-from-step-1> --name<br>
> > sriov_port --vnic-type direct "<br>
> ><br>
> ><br>
> > should be "neutron port-create <net-uuid-from-step-1> --name<br>
> > sriov_port --binding:vnic_type direct"<br>
> ><br>
> > [ML] – this is blueprint but I will check if I can update it.<br>
> ><br>
> ><br>
> > 3. Make it more clear that agent_required = False is totally fine<br>
> > and may be better. From what I read you have to disable the firewall<br>
> > functionality if you enable sriov-agent? Not sure if that<br>
> > understanding is correct.<br>
> ><br>
> > [ML] – I agree this is totally need clarification. The<br>
> > agent_required=False is used when you have Intel NIC that doesn’t<br>
> > support admin up/down change. SR-IOV NIC that support admin up/down<br>
> > change should be configured with agent_required =True.<br>
> ><br>
> > I will update the wiki explaining that flag. (by the way we hope to<br>
> > change it in liberty and deprecate the agent_required flag)<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > I would prefer this information to have release bound documentation in<br>
> > for example the Networking<br>
> > Guide: <a href="http://docs.openstack.org/networking-guide/" rel="noreferrer" target="_blank">http://docs.openstack.org/networking-guide/</a> or the Cloud<br>
> > Administrator<br>
> > Guide: <a href="http://docs.openstack.org/admin-guide-cloud/content/" rel="noreferrer" target="_blank">http://docs.openstack.org/admin-guide-cloud/content/</a><br>
> ><br>
> > [ML] – Ok, I guess this is required change in<br>
> > openstack/openstack-manuals repository. Can you help and adding<br>
> > documentations there? Just put me as review. If not I will try do it<br>
> > myself or find someone in Mellanox.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > I believe that using the pci sys interface is vendor compatible. Would<br>
> > be great if you could confirm. Could you try testing $ echo '7'<br>
> > > /sys/class/net/eth3/device/sriov_numvfs on a mellanox card?<br>
> ><br>
> ><br>
> > This way we don't have to write vendor specific docs on enabling VFs<br>
> > :)<br>
> ><br>
> ><br>
> > When using modprobe ixgbe max_vfs=7 it tells you that using max_vfs is<br>
> > deprecated and that the pci sys interface should be used. That's how I<br>
> > found out about this.<br>
> ><br>
> > [ML] – unfortunately it is not generic in Melllanox you need to<br>
> > configure number of VFs and number of probes (also Single Port or<br>
> > Duel Port ) it is more complicateL<br>
> ><br>
> > see <a href="https://community.mellanox.com/docs/DOC-1484" rel="noreferrer" target="_blank">https://community.mellanox.com/docs/DOC-1484</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > On Sun, Jul 19, 2015 at 2:44 PM, Moshe Levi <<a href="mailto:moshele@mellanox.com">moshele@mellanox.com</a>><br>
> > wrote:<br>
> ><br>
> > Hi Sam,<br>
> ><br>
> ><br>
> ><br>
> > Can you explain why you think that the<br>
> > <a href="https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking</a><br>
> is out of date?<br>
> ><br>
> > Moreover you blog explain how to configure SR-IOV on Intel<br>
> > NIC, but keep in mind Neutron SRIOV is generic and can support<br>
> > any other vendors such as Mellanox.<br>
> ><br>
> > Maybe will should add links to how to configure SR-IOV NIC for<br>
> > several Vendors. We can start with Mellanox and Intel NIC.<br>
> > What do you think?<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > From: Sam Stoelinga [mailto:<a href="mailto:sammiestoel@gmail.com">sammiestoel@gmail.com</a>]<br>
> > Sent: Saturday, July 18, 2015 5:55 PM<br>
> > To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> > Subject: [Openstack] [Neutron][SRIOV][docs] Enabling SRIOV on<br>
> > OpenStack Juno step-by-step guide<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Hi networking gurus,<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > While it may be easy for many of you to enable Neutron SRIOV<br>
> > on OpenStack it wasn't a smooth ride for me. I documented<br>
> > exactly which steps were required to enable SRIOV on OpenStack<br>
> > on my<br>
> > blog:<br>
> > <a href="http://samos-it.com/posts/sriov-openstack-juno-fuel-6-1.html" rel="noreferrer" target="_blank">http://samos-it.com/posts/sriov-openstack-juno-fuel-6-1.html</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > It seems there is no official documentation yet other than 2<br>
> > out of date wiki pages. I would like take the content of my<br>
> > blog post to official OpenStack docs if you guys/girls think<br>
> > it's useful for the broader audience.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Regards,<br>
> ><br>
> ><br>
> > Sam Stoelinga<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> > Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> > Unsubscribe :<br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
> --<br>
> Andreas<br>
> (IRC: scheuran)<br>
><br>
<br>
</div></div></blockquote></div><br></div>