[openstack-dev] [neutron] high dhcp lease times in neutron deployments considered harmful (or not???)
Kevin Benton
blak111 at gmail.com
Mon Feb 2 11:48:39 UTC 2015
>The only thing this discussion has convinced me of is that allowing users
to change the fixed IP address on a neutron port leads to a bad
user-experience.
Not as bad as having to delete a port and create another one on the same
network just to change addresses though...
>Even with an 8-minute renew time you're talking up to a 7-minute blackout
(87.5% of lease time before using broadcast).
I suggested 240 seconds renewal time, which is up to 4 minutes of
connectivity outage. This doesn't have anything to do with lease time and
unicast DHCP will work because the spoof rules allow DHCP client traffic
before restricting to specific IPs.
> Most would have rebooted long before then, true? Cattle not pets, right?
Only in an ideal world that I haven't encountered with customer
deployments. Many enterprise deployments end up bringing pets along where
reboots aren't always free. The time taken to relaunch programs and restore
state can end up being 10 minutes+ if it's something like a VDI deployment
or dev environment where someone spends a lot of time working on one VM.
>Changing the lease time is just papering-over the real bug - neutron
doesn't support seamless changes in IP addresses on ports, since it totally
relies on the dhcp configuration settings a deployer has chosen.
It doesn't need to be seamless, but it certainly shouldn't be useless.
Connectivity interruptions can be expected with IP changes (e.g. I've seen
changes in elastic IPs on EC2 can interrupt connectivity to an instance for
up to 2 minutes), but an entire day of downtime is awful.
One of the things I'm getting at is that a deployer shouldn't be choosing
such high lease times and we are encouraging it with a high default. You
are arguing for infrequent renewals to work around excessive logging, which
is just an implementation problem that should be addressed with a patch to
your logging collector (de-duplication) or to dnsmasq (don't log renewals).
>Documenting a VM reboot is necessary, or even deprecating this (you won't
like that) are sounding better to me by the minute.
If this is an approach you really want to go with, then we should at least
be consistent and deprecate the extra dhcp options extension (or at least
the ability to update ports' dhcp options). Updating subnet attributes like
gateway_ip, dns_nameserves, and host_routes should be thrown out as well.
All of these things depend on the DHCP server to deliver updated
information and are hindered by renewal times. Why discriminate against IP
updates on a port? A failure to receive many of those other types of
changes could result in just as severe of a connection disruption.
In summary, the information the DHCP server gives to clients is not static.
Unless we eliminate updates to everything in the Neutron API that results
in different DHCP lease information, my suggestion is that we include a new
option for the renewal interval and have the default set <5 minutes. We can
leave the lease default to 1 day so the amount of time a DHCP server can be
offline without impacting running clients can stay the same.
On Fri, Jan 30, 2015 at 8:00 AM, Brian Haley <brian.haley at hp.com> wrote:
> Kevin,
>
> The only thing this discussion has convinced me of is that allowing users
> to
> change the fixed IP address on a neutron port leads to a bad
> user-experience.
> Even with an 8-minute renew time you're talking up to a 7-minute blackout
> (87.5%
> of lease time before using broadcast). This is time that customers are
> paying
> for. Most would have rebooted long before then, true? Cattle not pets,
> right?
>
> Changing the lease time is just papering-over the real bug - neutron
> doesn't
> support seamless changes in IP addresses on ports, since it totally relies
> on
> the dhcp configuration settings a deployer has chosen. Bickering over the
> lease
> time doesn't fix that non-deterministic recovery for the VM. Documenting
> a VM
> reboot is necessary, or even deprecating this (you won't like that) are
> sounding
> better to me by the minute.
>
> Is there anyone else that has used, or has customers using, this part of
> the
> neutron API? Can they share their experiences?
>
> -Brian
>
>
> On 01/30/2015 07:26 AM, Kevin Benton wrote:
> >>But they will if we document it well, which is what Salvatore suggested.
> >
> > I don't think this is a good approach, and it's a big part of why I
> started this
> > thread. Most of the deployers/operators I have worked with only read the
> bare
> > minimum documentation to get a Neutron deployment working and they only
> adjust
> > the settings necessary for basic functionality.
> >
> > We have an overwhelming amount of configuration options and adding a note
> > specifying that a particular setting for DHCP leases has been optimized
> to
> > reduce logging at the cost of long downtimes during port IP address
> updates is a
> > waste of time and effort on our part.
> >
> >>I think the current default value is also more indicative of something
> > you'd find in your house, or at work - i.e. stable networks.
> >
> > Tenants don't care what the DHCP lease time is or that it matches what
> they
> > would see from a home router. They only care about connectivity.
> >
> >>One solution is to disallow this operation.
> >
> > I want this feature to be useful in deployments by default, not strip it
> > away. You can probably do this with /etc/neutron/policy.json without a
> code
> > change if you wanted to block it in a deployment like yours where you
> have such
> > a high lease time.
> >
> >>Perhaps letting the user set it, but allow the admin to set the valid
> range
> > for min/max? And if they don't specify they get the default?
> >
> > Tenants wouldn't have any reason to adjust this default. They would be
> even less
> > likely than the operator to know about this weird relationship between a
> DHCP
> > setting and the amount of time they lose connectivity after updating
> their
> > ports' IPs.
> >
> >>It impacts anyone that hasn't changed from the default since July 2013
> and later
> > (Havana), since if they don't notice, they might get bitten by it.
> >
> > Keep in mind that what I am suggesting with the lease-renewal-time would
> be
> > separate from the lease expiration time. The only difference that an
> operator
> > would see on upgrade (if using the defaults) is increased DHCP traffic
> and more
> > logs to syslog from dnsmasq. The lease time would still be the same so
> the
> > downtime windows for DHCP agents would be maintained. That is much less
> of an
> > impact than many of the non-config changes we make between cycles.
> >
> > To clarify, even with an option for dhcp-renewal-time I am proposing,
> you are
> > still opposed to setting it to anything low because of logging and the
> ~24 bps
> > background DHCP traffic per VM?
> >
> > On Thu, Jan 29, 2015 at 7:11 PM, Brian Haley <brian.haley at hp.com
> > <mailto:brian.haley at hp.com>> wrote:
> >
> > On 01/29/2015 05:28 PM, Kevin Benton wrote:
> > >>How is Neutron breaking this? If I move a port on my physical
> switch to a
> > > different subnet, can you still communicate with the host sitting
> on it?
> > > Probably not since it has a view of the world (next-hop router)
> that no longer
> > > exists, and the network won't route packets for it's old IP
> address to the new
> > > location. It has to wait for it's current DHCP lease to tick down
> to the point
> > > where it will use broadcast to get a new one, after which point it
> will work.
> > >
> > > That's not just moving to a different subnet. That's moving to a
> different
> > > broadcast domain. Neutron supports multiple subnets per network
> (broadcast
> > > domain). An address on either subnet will work. The router has two
> interfaces
> > > into the network, one on each subnet.[2]
> > >
> > >
> > >>Does it work on Windows VMs too? People run those in clouds too.
> The point is
> > > that if we don't know if all the DHCP clients will support it then
> it's a
> > > non-starter since there's no way to tell from the server side.
> > >
> > > It appears they do.[1] Even for clients that don't, the worst case
> scenario is
> > > just that they are stuck where we are now.
> > >
> > >>"... then the deployer can adjust the value upwards...", hmm, can
> they adjust it
> > > downwards as well? :)
> > >
> > > Yes, but most people doing initial openstack deployments don't and
> wouldn't
> > > think to without understanding the intricacies of the security
> groups filtering
> > > in Neutron.
> >
> > But they will if we document it well, which is what Salvatore
> suggested.
> >
> > >>I'm glad you're willing to "boil the ocean" to try and get the
> default changed,
> > > but is all this really worth it when all you have to do is edit
> the config file
> > > in your deployment? That's why the value is there in the first
> place.
> > >
> > > The default value is basically incompatible with port IP changes.
> We shouldn't
> > > be shipping defaults that lead to half-broken functionality. What
> I'm
> > > understanding is that the current default value is to workaround
> shortcomings in
> > > dnsmasq. This is an example of implementation details leaking out
> and leading to
> > > bad UX.
> >
> > I think the current default value is also more indicative of
> something you'd
> > find in your house, or at work - i.e. stable networks.
> >
> > I had another thought on this Kevin, hoping that we could come to
> some
> > resolution, because sure, shipping broken functionality isn't
> great. But here's
> > the rub - how do we make a change in a fixed IP work in *all*
> deployments?
> > Since the end-user can't set this value, they'll run into this
> problem in my
> > deployment, or any other that has some not-very-short lease time.
> One solution
> > is to disallow this operation. The other is to fix neutron to make
> this work
> > better (I don't know what that involves, but there's bound to be a
> way).
> > Perhaps letting the user set it, but allow the admin to set the
> valid range for
> > min/max? And if they don't specify they get the default?
> >
> > > If we had an option to configure how often iptables rules were
> refreshed to
> > > match their security group, there is no way we would have a
> default of 12 hours.
> > > This is essentially the same level of connectivity interruption,
> it just happens
> > > to be a narrow use case so it hasn't been getting any attention.
> > >
> > > To flip your question around, why do you care if the default is
> lower? You
> > > already adjust it beyond the 1 day default in your deployment, so
> how would a
> > > different default impact you?
> >
> > It impacts anyone that hasn't changed from the default since July
> 2013 and later
> > (Havana), since if they don't notice, they might get bitten by it.
> >
> > -Brian
> >
> >
> > >
> > > 1. http://support.microsoft.com/kb/121005
> > > 2. Similar to using the "secondary" keyword on Cisco devices. Or
> just the "ip
> > > addr add" command on linux.
> > >
> > > On Thu, Jan 29, 2015 at 1:34 PM, Brian Haley <brian.haley at hp.com
> <mailto:brian.haley at hp.com>
> > > <mailto:brian.haley at hp.com <mailto:brian.haley at hp.com>>> wrote:
> > >
> > > On 01/29/2015 03:55 AM, Kevin Benton wrote:
> > > >>Why would users want to change an active port's IP address
> anyway?
> > > >
> > > > Re-addressing. It's not common, but the entire reason I
> brought this
> > up is
> > > > because a user was moving an instance to another subnet on
> the same
> > network and
> > > > stranded one of their VMs.
> > > >
> > > >> I worry about setting a default config value to handle a
> very
> > unusual use case.
> > > >
> > > > Changing a static lease is something that works on normal
> networks
> > so I don't
> > > > think we should break it in Neutron without a really good
> reason.
> > >
> > > How is Neutron breaking this? If I move a port on my physical
> switch to a
> > > different subnet, can you still communicate with the host
> sitting on it?
> > > Probably not since it has a view of the world (next-hop
> router) that
> > no longer
> > > exists, and the network won't route packets for it's old IP
> address to
> > the new
> > > location. It has to wait for it's current DHCP lease to tick
> down to
> > the point
> > > where it will use broadcast to get a new one, after which
> point it
> > will work.
> > >
> > > > Right now, the big reason to keep a high lease time that I
> agree
> > with is that it
> > > > buys operators lots of dnsmasq downtime without affecting
> running
> > clients. To
> > > > get the best of both worlds we can set DHCP option 58 (a.k.a
> > dhcp-renewal-time
> > > > or T1) to 240 seconds. Then the lease time can be left to be
> > something large
> > > > like 10 days to allow for tons of DHCP server downtime
> without
> > affecting running
> > > > clients.
> > > >
> > > > There are two issues with this approach. First, some simple
> dhcp
> > clients don't
> > > > honor that dhcp option (e.g. the one with Cirros), but it
> works with
> > dhclient so
> > > > it should work on CentOS, Fedora, etc (I verified it works on
> > Ubuntu). This
> > > > isn't a big deal because the worst case is what we have
> already
> > (half of the
> > > > lease time). The second issue is that dnsmasq hardcodes that
> option,
> > so a patch
> > > > would be required to allow it to be specified in the options
> file. I
> > am happy to
> > > > submit the patch required there so that isn't a big deal
> either.
> > >
> > > Does it work on Windows VMs too? People run those in clouds
> too. The
> > point is
> > > that if we don't know if all the DHCP clients will support it
> then it's a
> > > non-starter since there's no way to tell from the server side.
> > >
> > > > If we implement that fix, the remaining issue is Brian's
> other
> > comment about too
> > > > much DHCP traffic. I've been doing some packet captures and
> the standard
> > > > request/reply for a renewal is 2 unicast packets totaling
> about 725
> > bytes.
> > > > Assuming 10,000 VMs renewing every 240 seconds, there will
> be an
> > average of 242
> > > > kbps background traffic across the entire network. Even at a
> density
> > of 50 VMs,
> > > > that's only 1.2 kbps per compute node. If that's still too
> much,
> > then the
> > > > deployer can adjust the value upwards, but that's hardly a
> reason to
> > have a high
> > > > default.
> > >
> > > "... then the deployer can adjust the value upwards...", hmm,
> can they
> > adjust it
> > > downwards as well? :)
> > >
> > > > That just leaves the logging problem. Since we require a
> change to
> > dnsmasq
> > > > anyway, perhaps we could also request an option to suppress
> logs
> > from renewals?
> > > > If that's not adequate, I think 2 log entries per vm every
> 240
> > seconds is really
> > > > only a concern for operators with large clouds and they
> should have the
> > > > knowledge required to change a config file anyway. ;-)
> > >
> > > I'm glad you're willing to "boil the ocean" to try and get the
> default
> > changed,
> > > but is all this really worth it when all you have to do is
> edit the
> > config file
> > > in your deployment? That's why the value is there in the
> first place.
> > >
> > > Sorry, I'm still unconvinced we need to do anything more than
> document
> > this.
> > >
> > > -Brian
> > >
> > >
> > >
> > >
> __________________________________________________________________________
> > > OpenStack Development Mailing List (not for usage questions)
> > > Unsubscribe:
> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > <
> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> > > <
> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> > >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> > >
> > >
> > >
> > > --
> > > Kevin Benton
> > >
> > >
> > >
> __________________________________________________________________________
> > > OpenStack Development Mailing List (not for usage questions)
> > > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > <
> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> >
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > <
> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> >
> > --
> > Kevin Benton
> >
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150202/4ff28e25/attachment.html>
More information about the OpenStack-dev
mailing list