Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
Thank you Sean K Mooney and Moshe Levi for your comments. I have few follow-up questions. Not looking for a detailed answer(I know you guys must be busy J). Looking for some basic info and will be obliged if you can point me to a direction(link to code or docs) where I can continue my research to understand more deeply. 1. What is the difference between neutron port_binding extension vif_type and vnic_type? 2.How is a vif object in os_vif(eg VifHostDevice) gets related with a vif_type(direct)? 3.Where does port_profile related data gets populated? 4.How is the decision of picking the correct networking back-end os_vif plugin is made? I guess everything comes under port binding negotiation. -Pranab __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
> -Original Message- > From: Moshe Levi [mailto:mosh...@mellanox.com] > Sent: Wednesday, August 9, 2017 4:47 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on > VIF_Type VIFHostDevice > > > > -Original Message- > From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] > Sent: Wednesday, August 9, 2017 6:36 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on > VIF_Type VIFHostDevice > > > > > -Original Message- > > From: Moshe Levi [mailto:mosh...@mellanox.com] > > Sent: Wednesday, August 9, 2017 3:25 PM > > To: OpenStack Development Mailing List (not for usage questions) > > > > Subject: Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on > > VIF_Type VIFHostDevice > > > > Hi, > > > > 1) you should use neutron port with vnic_type direct > > 2) yes, just use neutron port with vnic_type direct and confighure > > the nova compute with pci passthogth whitelist > > 3) you can configure firewall_driver = openvswitch to work with > > Conntrack. > > > > So in your case if have SR-IOV nic which doesn't support hardware > > offload (but has VF representors port) you will just fallback to the > > ovs kernel datapath. > > [Mooney, Sean K] that is not what will happen with intel nics and I > would be doubtful Based on the code I have seen in nova and neutron > that a fallback will happen with mellanox. > If the neutron port has vnic_type direct it will Always result in a > sriov vf being allocated for that port. > There is no check in nova to ensure ovs support vf configuration and > there is no check in neutron ml2 driver Either. This is why I wanted > the feature based scheduling to prevent this from happening as that > would prevent Nova from allocating the vf which would cause scheduling > to fail. > > [Moshe Levi] This is not what I meant. I was talking on the > implementation of the ovs 2.8.0 hardware offload. > I was referring for NIC with SR-IOV that support representor ports > switchdev mode (maybe I miss understood the question). If it just SR- > IOV NIC then you are correct. [Mooney, Sean K] ah yes if the nic and ovs both support representor ports And tc flower then yes the datapath will auto negociate what can be offloaded Vs what has to take the exception path via the kernel dataplane. > > > When nova generates the Libvirt xml for that interface it will > configure that port to use sriov direct pass-through. > If ovs does not support managing that nic via the representor netdev or > the nic does not support the tc flower protocol then the port add will > not fail as we are just adding the representor netdev as a normal port > But it will not be able to preform any control plane actions on it. > there is no way for a Libvirt hostdevice to gracefully fall back to the > kernel dataplane without modifying Xml. After all we are not even > adding the vf to ovs we are adding a representor port to ovs so the > dataplane is entirely bypassing ovs for unsupported nics. > > > As long as you have the host has vf available and the ovs ml2 driver is > listed before the sriov nic Agent ml2 driver you will get into this > broken state. > > > The ovs 2.8.0 code try to offload each datapath rule to NIC hardware > > if it failed it fails back to the ovs kernel datapath. > > So if have NIC that can offload classification on vlan and action > > output. Only datapath flows that constructed for this classification > > and action will be offload to hardware. > > > > -Original Meyssage- > > From: pranab boruah [mailto:pranabjyotibor...@gmail.com] > > Sent: Wednesday, August 9, 2017 4:36 PM > > To: OpenStack Development Mailing List (not for usage questions) > > > > Subject: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type > > VIFHostDevice > > > > Hi, > > I am experimenting with the os-vif library and stumbled upon this new > > VIF type called VIFHostDevice. I have few general queries. TIA. > > > > 1. How do I create ports with VIF_type as VIFHostDevice? Looking for > > the CLI command options. > > > > > > 2. Say, I have OVS running completely on x86 host(no datapath or flow > > offload to > > NIC) as the networking mechanism and a SRIOV capable NIC(for > > existence of VF representors that will be added to the OVS bridge). > > Can I still launch instances with VIF_type as VIFHostDevice? > > > > > > 3. I want to use Security Gro
Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
-Original Message- From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] Sent: Wednesday, August 9, 2017 6:36 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice > -Original Message- > From: Moshe Levi [mailto:mosh...@mellanox.com] > Sent: Wednesday, August 9, 2017 3:25 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on > VIF_Type VIFHostDevice > > Hi, > > 1) you should use neutron port with vnic_type direct > 2) yes, just use neutron port with vnic_type direct and confighure > the nova compute with pci passthogth whitelist > 3) you can configure firewall_driver = openvswitch to work with > Conntrack. > > So in your case if have SR-IOV nic which doesn't support hardware > offload (but has VF representors port) you will just fallback to the > ovs kernel datapath. [Mooney, Sean K] that is not what will happen with intel nics and I would be doubtful Based on the code I have seen in nova and neutron that a fallback will happen with mellanox. If the neutron port has vnic_type direct it will Always result in a sriov vf being allocated for that port. There is no check in nova to ensure ovs support vf configuration and there is no check in neutron ml2 driver Either. This is why I wanted the feature based scheduling to prevent this from happening as that would prevent Nova from allocating the vf which would cause scheduling to fail. [Moshe Levi] This is not what I meant. I was talking on the implementation of the ovs 2.8.0 hardware offload. I was referring for NIC with SR-IOV that support representor ports switchdev mode (maybe I miss understood the question). If it just SR-IOV NIC then you are correct. When nova generates the Libvirt xml for that interface it will configure that port to use sriov direct pass-through. If ovs does not support managing that nic via the representor netdev or the nic does not support the tc flower protocol then the port add will not fail as we are just adding the representor netdev as a normal port But it will not be able to preform any control plane actions on it. there is no way for a Libvirt hostdevice to gracefully fall back to the kernel dataplane without modifying Xml. After all we are not even adding the vf to ovs we are adding a representor port to ovs so the dataplane is entirely bypassing ovs for unsupported nics. As long as you have the host has vf available and the ovs ml2 driver is listed before the sriov nic Agent ml2 driver you will get into this broken state. > The ovs 2.8.0 code try to offload each datapath rule to NIC hardware > if it failed it fails back to the ovs kernel datapath. > So if have NIC that can offload classification on vlan and action > output. Only datapath flows that constructed for this classification > and action will be offload to hardware. > > -Original Meyssage- > From: pranab boruah [mailto:pranabjyotibor...@gmail.com] > Sent: Wednesday, August 9, 2017 4:36 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type > VIFHostDevice > > Hi, > I am experimenting with the os-vif library and stumbled upon this new > VIF type called VIFHostDevice. I have few general queries. TIA. > > 1. How do I create ports with VIF_type as VIFHostDevice? Looking for > the CLI command options. > > > 2. Say, I have OVS running completely on x86 host(no datapath or flow > offload to > NIC) as the networking mechanism and a SRIOV capable NIC(for > existence of VF representors that will be added to the OVS bridge). > Can I still launch instances with VIF_type as VIFHostDevice? > > > 3. I want to use Security Groups using OVS+Conntrack as the mechanism. > Can I apply SG rules on the ports of type VIFHostDevice using the > above mechanism? > > PS: I am still trying to understand this. Hence, I might get my > premises wrong in the above questions. Will appreciate a detailed > explanation. > > Regards, > Pranab > > __ > _ > ___ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev- > requ...@lists.openstack.org?subject:unsubscribe > https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flist > s > .openstack.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fopenstack- > dev&data=02%7C01%7Cmoshele%40mellanox.com%7C0af8192c256c42f1252308d4df > 2 > b96b4%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636378825693889082& > s > data=iNi%2FLHV5LkTKs8sSpS4BgHU6lwaoywo6O
Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
> -Original Message- > From: Moshe Levi [mailto:mosh...@mellanox.com] > Sent: Wednesday, August 9, 2017 3:25 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on > VIF_Type VIFHostDevice > > Hi, > > 1) you should use neutron port with vnic_type direct > 2) yes, just use neutron port with vnic_type direct and confighure > the nova compute with pci passthogth whitelist > 3) you can configure firewall_driver = openvswitch to work with > Conntrack. > > So in your case if have SR-IOV nic which doesn't support hardware > offload (but has VF representors port) you will just fallback to the > ovs kernel datapath. [Mooney, Sean K] that is not what will happen with intel nics and I would be doubtful Based on the code I have seen in nova and neutron that a fallback will happen with mellanox. If the neutron port has vnic_type direct it will Always result in a sriov vf being allocated for that port. There is no check in nova to ensure ovs support vf configuration and there is no check in neutron ml2 driver Either. This is why I wanted the feature based scheduling to prevent this from happening as that would prevent Nova from allocating the vf which would cause scheduling to fail. When nova generates the Libvirt xml for that interface it will configure that port to use sriov direct pass-through. If ovs does not support managing that nic via the representor netdev or the nic does not support the tc flower protocol then the port add will not fail as we are just adding the representor netdev as a normal port But it will not be able to preform any control plane actions on it. there is no way for a Libvirt hostdevice to gracefully fall back to the kernel dataplane without modifying Xml. After all we are not even adding the vf to ovs we are adding a representor port to ovs so the dataplane is entirely bypassing ovs for unsupported nics. As long as you have the host has vf available and the ovs ml2 driver is listed before the sriov nic Agent ml2 driver you will get into this broken state. > The ovs 2.8.0 code try to offload each datapath rule to NIC hardware if > it failed it fails back to the ovs kernel datapath. > So if have NIC that can offload classification on vlan and action > output. Only datapath flows that constructed for this classification > and action will be offload to hardware. > > -Original Meyssage- > From: pranab boruah [mailto:pranabjyotibor...@gmail.com] > Sent: Wednesday, August 9, 2017 4:36 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type > VIFHostDevice > > Hi, > I am experimenting with the os-vif library and stumbled upon this new > VIF type called VIFHostDevice. I have few general queries. TIA. > > 1. How do I create ports with VIF_type as VIFHostDevice? Looking for > the CLI command options. > > > 2. Say, I have OVS running completely on x86 host(no datapath or flow > offload to > NIC) as the networking mechanism and a SRIOV capable NIC(for existence > of VF representors that will be added to the OVS bridge). Can I still > launch instances with VIF_type as VIFHostDevice? > > > 3. I want to use Security Groups using OVS+Conntrack as the mechanism. > Can I apply SG rules on the ports of type VIFHostDevice using the above > mechanism? > > PS: I am still trying to understand this. Hence, I might get my > premises wrong in the above questions. Will appreciate a detailed > explanation. > > Regards, > Pranab > > ___ > ___ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev- > requ...@lists.openstack.org?subject:unsubscribe > https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists > .openstack.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fopenstack- > dev&data=02%7C01%7Cmoshele%40mellanox.com%7C0af8192c256c42f1252308d4df2 > b96b4%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636378825693889082&s > data=iNi%2FLHV5LkTKs8sSpS4BgHU6lwaoywo6O%2BNcF3hqtms%3D&reserved=0 > ___ > ___ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev- > requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
> -Original Message- > From: pranab boruah [mailto:pranabjyotibor...@gmail.com] > Sent: Wednesday, August 9, 2017 2:36 PM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type > VIFHostDevice > > Hi, > I am experimenting with the os-vif library and stumbled upon this new > VIF type called VIFHostDevice. I have few general queries. TIA. > > 1. How do I create ports with VIF_type as VIFHostDevice? Looking for > the CLI command options. [Mooney, Sean K] hi os-vif vif objects such as VIFHostDevice have no direct correlation With the neutron port binding extention vif_type or vnic_type. That is to say you Cannot direcly request VIFHostDevice via the cli by seting a vif_type or vnic_type. The vif object in os vif are datastuctures that encapluate the common datamodel that Descibse a specific network interface type. In the case of VIFHostDevice this corresponds To a sriov VF. This is then paird with a os-vif plugin which encapsulates the port binding logic For plugging these abstract vif into that specific network backend. This is combined with an Os vif port profile object which transports any backend specific info that cannot be generically included Int the os vif vif object. For example vf representor netdev address or a vSwitches bridge name. > > > 2. Say, I have OVS running completely on x86 host(no datapath or flow > offload to > NIC) as the networking mechanism and a SRIOV capable NIC(for existence > of VF representors that will be added to the OVS bridge). Can I still > launch instances with VIF_type as VIFHostDevice? [Mooney, Sean K] you can launch an instance with that configuration yes however You will not have any way to manage that vf via ovs. Libvirt would still Connect the dataplane to the vm via standard host passthrouhg/sriov howver Applying action to the representor port attached to the ovs bridge such as Tagging the interface with a vlan or installing openflow rules to fileter the traffic With the ovs conntrack security group driver would have no effect on dataplane. > > > 3. I want to use Security Groups using OVS+Conntrack as the mechanism. > Can I apply SG rules on the ports of type VIFHostDevice using the above > mechanism? [Mooney, Sean K] that should work with a melonox or netroneome smart nic with A ovs that support the tc flower offload if they have implemented conntrack support But it would not work with a generic nic. That is something that in the future we do intend To support but at present it requires nic support to enable with conntrack. It may be possible To use the learn action openflow security group driver if your nic does not support conntrack For stateless firewalling which is still better then what you have today with sriov but the Bottome line is you need nic support in hardware/firmware and ovs support for that nic offload to make this work. > > PS: I am still trying to understand this. Hence, I might get my > premises wrong in the above questions. Will appreciate a detailed > explanation. > > Regards, > Pranab > > ___ > ___ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev- > requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
Hi, 1) you should use neutron port with vnic_type direct 2) yes, just use neutron port with vnic_type direct and confighure the nova compute with pci passthogth whitelist 3) you can configure firewall_driver = openvswitch to work with Conntrack. So in your case if have SR-IOV nic which doesn't support hardware offload (but has VF representors port) you will just fallback to the ovs kernel datapath. The ovs 2.8.0 code try to offload each datapath rule to NIC hardware if it failed it fails back to the ovs kernel datapath. So if have NIC that can offload classification on vlan and action output. Only datapath flows that constructed for this classification and action will be offload to hardware. -Original Meyssage- From: pranab boruah [mailto:pranabjyotibor...@gmail.com] Sent: Wednesday, August 9, 2017 4:36 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice Hi, I am experimenting with the os-vif library and stumbled upon this new VIF type called VIFHostDevice. I have few general queries. TIA. 1. How do I create ports with VIF_type as VIFHostDevice? Looking for the CLI command options. 2. Say, I have OVS running completely on x86 host(no datapath or flow offload to NIC) as the networking mechanism and a SRIOV capable NIC(for existence of VF representors that will be added to the OVS bridge). Can I still launch instances with VIF_type as VIFHostDevice? 3. I want to use Security Groups using OVS+Conntrack as the mechanism. Can I apply SG rules on the ports of type VIFHostDevice using the above mechanism? PS: I am still trying to understand this. Hence, I might get my premises wrong in the above questions. Will appreciate a detailed explanation. Regards, Pranab __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openstack.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fopenstack-dev&data=02%7C01%7Cmoshele%40mellanox.com%7C0af8192c256c42f1252308d4df2b96b4%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636378825693889082&sdata=iNi%2FLHV5LkTKs8sSpS4BgHU6lwaoywo6O%2BNcF3hqtms%3D&reserved=0 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [os-vif] [vif_plug_ovs] Queries on VIF_Type VIFHostDevice
Hi, I am experimenting with the os-vif library and stumbled upon this new VIF type called VIFHostDevice. I have few general queries. TIA. 1. How do I create ports with VIF_type as VIFHostDevice? Looking for the CLI command options. 2. Say, I have OVS running completely on x86 host(no datapath or flow offload to NIC) as the networking mechanism and a SRIOV capable NIC(for existence of VF representors that will be added to the OVS bridge). Can I still launch instances with VIF_type as VIFHostDevice? 3. I want to use Security Groups using OVS+Conntrack as the mechanism. Can I apply SG rules on the ports of type VIFHostDevice using the above mechanism? PS: I am still trying to understand this. Hence, I might get my premises wrong in the above questions. Will appreciate a detailed explanation. Regards, Pranab __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev