[openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?
Good day. I looking at the internals of bridge layout of openvswitch agent at http://docs.openstack.org/network-admin/admin/content/figures/2/figures/under-the-hood-scenario-1-ovs-compute.png and wondering, why this scheme is so complicated and why it use linux bridge and vethes with openvswitch together? Why no just plug tap device directly to openvswitch bridge without intermediate brctl bridge? I guess that was caused by some important consideration, but I unable to find any documents about this. If someone know reasons for that complex construction with different bridges, please response. Thanks. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?
Hi George: On Wed, Nov 27, 2013 at 1:45 PM, George Shuklin george.shuk...@gmail.comwrote: Good day. I looking at the internals of bridge layout of openvswitch agent at http://docs.openstack.org/network-admin/admin/content/ figures/2/figures/under-the-hood-scenario-1-ovs-compute.png and wondering, why this scheme is so complicated and why it use linux bridge and vethes with openvswitch together? Why no just plug tap device directly to openvswitch bridge without intermediate brctl bridge? I guess that was caused by some important consideration, but I unable to find any documents about this. If someone know reasons for that complex construction with different bridges, please response. If you look a little further down on the page with that figure, the documentation reads Ideally, the TAP device vnet0 would be connected directly to the integration bridge, br-int. Unfortunately, this isn't possible because of how OpenStack security groups are currently implemented. OpenStack uses iptables rules on the TAP devices such as vnet0 to implement security groups, and Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an Open vSwitch port. Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?
Thank you for reply! Few more question: AFAIK bridge tools is not very fast (compare to OVS), so adding them between OVS and tap (instead of yet another OVS switch) is kinda slow everything down. Why just not use yet another openvswitch switch to connect tap to veth devices? Why iptables, not internal openvswitch flow rules? Those rules allows to filter packets on L2-L4 headers and operates very fast. Is some iptables-only features used in ovs-agent? Thanks. 27.11.2013 20:55 пользователь Lorin Hochstein lo...@nimbisservices.com написал: Hi George: On Wed, Nov 27, 2013 at 1:45 PM, George Shuklin george.shuk...@gmail.comwrote: Good day. I looking at the internals of bridge layout of openvswitch agent at http://docs.openstack.org/network-admin/admin/content/ figures/2/figures/under-the-hood-scenario-1-ovs-compute.png and wondering, why this scheme is so complicated and why it use linux bridge and vethes with openvswitch together? Why no just plug tap device directly to openvswitch bridge without intermediate brctl bridge? I guess that was caused by some important consideration, but I unable to find any documents about this. If someone know reasons for that complex construction with different bridges, please response. If you look a little further down on the page with that figure, the documentation reads Ideally, the TAP device vnet0 would be connected directly to the integration bridge, br-int. Unfortunately, this isn't possible because of how OpenStack security groups are currently implemented. OpenStack uses iptables rules on the TAP devices such as vnet0 to implement security groups, and Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an Open vSwitch port. Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?
On Nov 27, 2013, at 1:29 PM, George Shuklin george.shuk...@gmail.com wrote: Thank you for reply! Few more question: AFAIK bridge tools is not very fast (compare to OVS), so adding them between OVS and tap (instead of yet another OVS switch) is kinda slow everything down. Why just not use yet another openvswitch switch to connect tap to veth devices? Why iptables, not internal openvswitch flow rules? Those rules allows to filter packets on L2-L4 headers and operates very fast. Is some iptables-only features used in ova-agent? George: There is work ongoing now to implement security groups using OVS flow rules in the OVS agent with the ML2 plugin. That would do what you're looking at above. Stay tuned on this, the authors of these patches hope to have some WIP code available soon. Thanks, Kyle Thanks. 27.11.2013 20:55 пользователь Lorin Hochstein lo...@nimbisservices.com написал: Hi George: On Wed, Nov 27, 2013 at 1:45 PM, George Shuklin george.shuk...@gmail.com wrote: Good day. I looking at the internals of bridge layout of openvswitch agent at http://docs.openstack.org/network-admin/admin/content/figures/2/figures/under-the-hood-scenario-1-ovs-compute.png and wondering, why this scheme is so complicated and why it use linux bridge and vethes with openvswitch together? Why no just plug tap device directly to openvswitch bridge without intermediate brctl bridge? I guess that was caused by some important consideration, but I unable to find any documents about this. If someone know reasons for that complex construction with different bridges, please response. If you look a little further down on the page with that figure, the documentation reads Ideally, the TAP device vnet0 would be connected directly to the integration bridge, br-int. Unfortunately, this isn't possible because of how OpenStack security groups are currently implemented. OpenStack uses iptables rules on the TAP devices such as vnet0 to implement security groups, and Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an Open vSwitch port. Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?
On Wed, Nov 27, 2013 at 09:29:16PM +0200, George Shuklin wrote: Why iptables, not internal openvswitch flow rules? Those rules allows to filter packets on L2-L4 headers and operates very fast. Is some iptables-only features used in ovs-agent? I've seen a couple references floating around about a Security Group driver, implemented using OpenFlow[1] as well as some mailing list discussions[2]. Perhaps it is time for a blueprint to be registered? [1] https://wiki.openstack.org/wiki/Neutron/SecurityGroups#Implementations [2] http://openstack.markmail.org/thread/gxzb2opgm7mvb7h4 -- Sean M. Collins ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?
Hi George, I’m working on a blueprint to implement OVS flows for security groups. https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver Currently, neutron only implements security groups with iptables even when Open vSwitch is used. Amir On Nov 27, 2013, at 1:29 PM, George Shuklin george.shuk...@gmail.commailto:george.shuk...@gmail.com wrote: Thank you for reply! Few more question: AFAIK bridge tools is not very fast (compare to OVS), so adding them between OVS and tap (instead of yet another OVS switch) is kinda slow everything down. Why just not use yet another openvswitch switch to connect tap to veth devices? Why iptables, not internal openvswitch flow rules? Those rules allows to filter packets on L2-L4 headers and operates very fast. Is some iptables-only features used in ovs-agent? Thanks. 27.11.2013 20:55 пользователь Lorin Hochstein lo...@nimbisservices.commailto:lo...@nimbisservices.com написал: Hi George: On Wed, Nov 27, 2013 at 1:45 PM, George Shuklin george.shuk...@gmail.commailto:george.shuk...@gmail.com wrote: Good day. I looking at the internals of bridge layout of openvswitch agent at http://docs.openstack.org/network-admin/admin/content/figures/2/figures/under-the-hood-scenario-1-ovs-compute.png and wondering, why this scheme is so complicated and why it use linux bridge and vethes with openvswitch together? Why no just plug tap device directly to openvswitch bridge without intermediate brctl bridge? I guess that was caused by some important consideration, but I unable to find any documents about this. If someone know reasons for that complex construction with different bridges, please response. If you look a little further down on the page with that figure, the documentation reads Ideally, the TAP device vnet0 would be connected directly to the integration bridge, br-int. Unfortunately, this isn't possible because of how OpenStack security groups are currently implemented. OpenStack uses iptables rules on the TAP devices such as vnet0 to implement security groups, and Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an Open vSwitch port. Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.comhttp://www.nimbisservices.com/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev