Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
> -Original Message- > From: Assaf Muller [mailto:as...@redhat.com] > Sent: Monday, August 15, 2016 2:50 PM > To: OpenStack Development Mailing List (not for usage questions) > <openstack-dev@lists.openstack.org> > Cc: Mooney, Sean K <sean.k.moo...@intel.com> > Subject: Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack > security group driver with ovs-dpdk > > + Jakub. > > On Wed, Aug 10, 2016 at 9:54 AM, > <kostiantyn.volenbovs...@swisscom.com> wrote: > > Hi, > >> [Mooney, Sean K] > >> In ovs 2.5 only linux kernel conntrack was supported assuming you > had > >> a 4.x kernel that supported it. that means that the feature was not > >> available on bsd,windows or with dpdk. > > Yup, I also thought about something like that. > > I think I was at-least-slightly misguided by > > http://docs.openstack.org/draft/networking-guide/adv-config- > ovsfwdrive > > r.html > > and there is currently a statement > > "The native OVS firewall implementation requires kernel and user > space support for conntrack, thus requiring minimum versions of the > Linux kernel and Open vSwitch. All cases require Open vSwitch version > 2.5 or newer." > > I agree, that statement is misleading. [Mooney, Sean K] the 2.6 branch now exists so it is probably ok to refer to 2.6 now. https://github.com/openvswitch/ovs/commits/branch-2.6 The release should be made ~ September 15th https://github.com/openvswitch/ovs/blob/797dad21566fecc60de3ce6f93c81ad55a61fe86/Documentation/release-process.md#release-scheduling which will be before then next openstack release. if you would like I can update the networking guide to refect the change in ovs. > > > > > Do you agree that this is something to change? I think it is not OK > to state OVS 2.6 without that being released, but in case I am not > confusing then: > > -OVS firewall driver with OVS that uses kernel datapath requires OVS > > 2.5 and Linux kernel 4.3 -OVS firewall driver with OVS that uses > > userspace datapath with DPDK (aka ovs-dpdk aka DPDK vhost-user aka > netdev datapath) doesn't have a Linux kernel prerequisite That is > documented in table in " ### Q: Are all features available with all > datapaths?": > > http://openvswitch.org/support/dist-docs/FAQ.md.txt > > where currently 'Connection tracking' row says 'NO' for 'Userspace' - > > but that's exactly what has been merged recently /to become feature > of > > OVS 2.6 > > > > Also when it comes to performance I came across > > http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I > would guess that devil could be the exact flows/ct actions that will be > present in real-life scenario. > > > > > > BR, > > Konstantin > > > > > >> -----Original Message- > >> From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] > >> Sent: Tuesday, August 09, 2016 2:29 PM > >> To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC > >> <kostiantyn.volenbovs...@swisscom.com>; openstack- > >> d...@lists.openstack.org > >> Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] > conntrack > >> security group driver with ovs-dpdk > >> > >> > >> > -Original Message- > >> > From: kostiantyn.volenbovs...@swisscom.com > >> > [mailto:kostiantyn.volenbovs...@swisscom.com] > >> > Sent: Tuesday, August 9, 2016 12:58 PM > >> > To: openstack-dev@lists.openstack.org; Mooney, Sean K > >> > <sean.k.moo...@intel.com> > >> > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] > >> > conntrack security group driver with ovs-dpdk > >> > > >> > Hi, > >> > (sorry for using incorrect threading) > >> > > >> > > > About 2 weeks ago I did some light testing with the conntrack > >> > > > security group driver and the newly > >> > > > > >> > > > Merged upserspace conntrack support in ovs. > >> > > > > >> > By 'recently' - whether you mean patch v4 > >> > http://openvswitch.org/pipermail/dev/2016-June/072700.html > >> > or you used OVS 2.5 itself (which I think includes v2 of the same > >> > patch series)? > >> [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016- > >> June/072700.html or specifically i used the following commit > >> > https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c > >> 3 > >> 6e8a6e846669 > >> which is just after userspac
Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
+ Jakub. On Wed, Aug 10, 2016 at 9:54 AM, <kostiantyn.volenbovs...@swisscom.com> wrote: > Hi, >> [Mooney, Sean K] >> In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x >> kernel that supported it. that means that the feature was not available on >> bsd,windows or with dpdk. > Yup, I also thought about something like that. > I think I was at-least-slightly misguided by > http://docs.openstack.org/draft/networking-guide/adv-config-ovsfwdriver.html > and there is currently a statement > "The native OVS firewall implementation requires kernel and user space > support for conntrack, thus requiring minimum versions of the Linux kernel > and Open vSwitch. All cases require Open vSwitch version 2.5 or newer." I agree, that statement is misleading. > > Do you agree that this is something to change? I think it is not OK to state > OVS 2.6 without that being released, but in case I am not confusing then: > -OVS firewall driver with OVS that uses kernel datapath requires OVS 2.5 and > Linux kernel 4.3 > -OVS firewall driver with OVS that uses userspace datapath with DPDK (aka > ovs-dpdk aka DPDK vhost-user aka netdev datapath) doesn't have a Linux > kernel prerequisite > That is documented in table in " ### Q: Are all features available with all > datapaths?": > http://openvswitch.org/support/dist-docs/FAQ.md.txt > where currently 'Connection tracking' row says 'NO' for 'Userspace' - but > that's exactly what has been merged recently /to become feature of OVS 2.6 > > Also when it comes to performance I came across > http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I would guess > that devil could be the exact flows/ct actions that will be present in > real-life scenario. > > > BR, > Konstantin > > >> -Original Message- >> From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] >> Sent: Tuesday, August 09, 2016 2:29 PM >> To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC >> <kostiantyn.volenbovs...@swisscom.com>; openstack- >> d...@lists.openstack.org >> Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack >> security >> group driver with ovs-dpdk >> >> >> > -Original Message- >> > From: kostiantyn.volenbovs...@swisscom.com >> > [mailto:kostiantyn.volenbovs...@swisscom.com] >> > Sent: Tuesday, August 9, 2016 12:58 PM >> > To: openstack-dev@lists.openstack.org; Mooney, Sean K >> > <sean.k.moo...@intel.com> >> > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack >> > security group driver with ovs-dpdk >> > >> > Hi, >> > (sorry for using incorrect threading) >> > >> > > > About 2 weeks ago I did some light testing with the conntrack >> > > > security group driver and the newly >> > > > >> > > > Merged upserspace conntrack support in ovs. >> > > > >> > By 'recently' - whether you mean patch v4 >> > http://openvswitch.org/pipermail/dev/2016-June/072700.html >> > or you used OVS 2.5 itself (which I think includes v2 of the same >> > patch series)? >> [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016- >> June/072700.html or specifically i used the following commit >> https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c3 >> 6e8a6e846669 >> which is just after userspace conntrack was merged, >> > >> > So in general - I am a bit confused about conntrack support in OVS. >> > >> > OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016- >> > February/81.html state: >> > "This release includes the highly anticipated support for connection >> > tracking in the Linux kernel. This feature makes it possible to >> > implement stateful firewalls and will be the basis for future stateful >> > features such as NAT and load-balancing. Work is underway to bring >> > connection tracking to the userspace datapath (used by DPDK) and the >> > port to Hyper-V." - in the way that 'work is underway' (=work is >> > ongoing) means that a time of OVS 2.5 release the feature was not >> > 'classified' as ready? >> [Mooney, Sean K] >> In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x >> kernel that supported it. that means that the feature was not available on >> bsd,windows or with dpdk. >> >> In the upcoming ovs 2.6 release conntrack support has been added to the >> Netdev datapath which is used with dpdk and on bsd. As far as I
Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
Hi, > [Mooney, Sean K] > In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x > kernel that supported it. that means that the feature was not available on > bsd,windows or with dpdk. Yup, I also thought about something like that. I think I was at-least-slightly misguided by http://docs.openstack.org/draft/networking-guide/adv-config-ovsfwdriver.html and there is currently a statement "The native OVS firewall implementation requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer." Do you agree that this is something to change? I think it is not OK to state OVS 2.6 without that being released, but in case I am not confusing then: -OVS firewall driver with OVS that uses kernel datapath requires OVS 2.5 and Linux kernel 4.3 -OVS firewall driver with OVS that uses userspace datapath with DPDK (aka ovs-dpdk aka DPDK vhost-user aka netdev datapath) doesn't have a Linux kernel prerequisite That is documented in table in " ### Q: Are all features available with all datapaths?": http://openvswitch.org/support/dist-docs/FAQ.md.txt where currently 'Connection tracking' row says 'NO' for 'Userspace' - but that's exactly what has been merged recently /to become feature of OVS 2.6 Also when it comes to performance I came across http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I would guess that devil could be the exact flows/ct actions that will be present in real-life scenario. BR, Konstantin > -Original Message- > From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] > Sent: Tuesday, August 09, 2016 2:29 PM > To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC > <kostiantyn.volenbovs...@swisscom.com>; openstack- > d...@lists.openstack.org > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security > group driver with ovs-dpdk > > > > -Original Message- > > From: kostiantyn.volenbovs...@swisscom.com > > [mailto:kostiantyn.volenbovs...@swisscom.com] > > Sent: Tuesday, August 9, 2016 12:58 PM > > To: openstack-dev@lists.openstack.org; Mooney, Sean K > > <sean.k.moo...@intel.com> > > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack > > security group driver with ovs-dpdk > > > > Hi, > > (sorry for using incorrect threading) > > > > > > About 2 weeks ago I did some light testing with the conntrack > > > > security group driver and the newly > > > > > > > > Merged upserspace conntrack support in ovs. > > > > > > By 'recently' - whether you mean patch v4 > > http://openvswitch.org/pipermail/dev/2016-June/072700.html > > or you used OVS 2.5 itself (which I think includes v2 of the same > > patch series)? > [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016- > June/072700.html or specifically i used the following commit > https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c3 > 6e8a6e846669 > which is just after userspace conntrack was merged, > > > > So in general - I am a bit confused about conntrack support in OVS. > > > > OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016- > > February/81.html state: > > "This release includes the highly anticipated support for connection > > tracking in the Linux kernel. This feature makes it possible to > > implement stateful firewalls and will be the basis for future stateful > > features such as NAT and load-balancing. Work is underway to bring > > connection tracking to the userspace datapath (used by DPDK) and the > > port to Hyper-V." - in the way that 'work is underway' (=work is > > ongoing) means that a time of OVS 2.5 release the feature was not > > 'classified' as ready? > [Mooney, Sean K] > In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x > kernel that supported it. that means that the feature was not available on > bsd,windows or with dpdk. > > In the upcoming ovs 2.6 release conntrack support has been added to the > Netdev datapath which is used with dpdk and on bsd. As far as I am aware > windows conntrack support is still Missing but I may be wrong. > > If you are interested the devstack local.conf I used to test that it > functioned is > available here http://paste.openstack.org/show/552434/ > > I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do the > testing. > > > > > > > > BR, > > Konstantin > > > > > > > > > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K > > <sean.k
Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
> -Original Message- > From: kostiantyn.volenbovs...@swisscom.com > [mailto:kostiantyn.volenbovs...@swisscom.com] > Sent: Tuesday, August 9, 2016 12:58 PM > To: openstack-dev@lists.openstack.org; Mooney, Sean K > <sean.k.moo...@intel.com> > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack > security group driver with ovs-dpdk > > Hi, > (sorry for using incorrect threading) > > > > About 2 weeks ago I did some light testing with the conntrack > > > security group driver and the newly > > > > > > Merged upserspace conntrack support in ovs. > > > > By 'recently' - whether you mean patch v4 > http://openvswitch.org/pipermail/dev/2016-June/072700.html > or you used OVS 2.5 itself (which I think includes v2 of the same patch > series)? [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-June/072700.html or specifically i used the following commit https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c36e8a6e846669 which is just after userspace conntrack was merged, > > So in general - I am a bit confused about conntrack support in OVS. > > OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016- > February/81.html state: > "This release includes the highly anticipated support for connection > tracking in the Linux kernel. This feature makes it possible to > implement stateful firewalls and will be the basis for future stateful > features such as NAT and load-balancing. Work is underway to bring > connection tracking to the userspace datapath (used by DPDK) and the > port to Hyper-V." - in the way that 'work is underway' (=work is > ongoing) means that a time of OVS 2.5 release the feature was not > 'classified' as ready? [Mooney, Sean K] In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x kernel that supported it. that means that the feature was not available on bsd,windows or with dpdk. In the upcoming ovs 2.6 release conntrack support has been added to the Netdev datapath which is used with dpdk and on bsd. As far as I am aware windows conntrack support is still Missing but I may be wrong. If you are interested the devstack local.conf I used to test that it functioned is available here http://paste.openstack.org/show/552434/ I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do the testing. > > > BR, > Konstantin > > > > > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K > <sean.k.moo...@intel.com> > > wrote: > > > Hi just a quick fyi, > > > > > > About 2 weeks ago I did some light testing with the conntrack > security > > > group driver and the newly > > > > > > Merged upserspace conntrack support in ovs. > > > > > > > > > > > > I can confirm that at least form my initial smoke tests where I > > > > > > Uses netcat ping and ssh to try and establish connections between > two > > > vms the > > > > > > Conntrack security group driver appears to function correctly with > the > > > userspace connection tracker. > > > > > > > > > > > > We have not looked at any of the performance yet but assuming it is > at > > > an acceptable level I am planning to > > > > > > Deprecate the learn action based driver in networking-ovs-dpdk and > > > remove it once we have cut the stable newton > > > > > > Branch. > > > > > > > > > > > > We hope to do some rfc 2544 throughput testing to evaluate the > > > performance sometime mid-September. > > > > > > Assuming all goes well I plan on enabling the conntrack based > security > > > group driver by default when the > > > > > > Networking-ovs-dpdk devstack plugin is loaded. We will also > evaluate > > > enabling the security group tests > > > > > > In our third party ci to ensure it continues to function correctly > > > with ovs-dpdk. > > > > > > > > > > > > Regards > > > > > > Seán > > > > > > > > > > > > > > > > > _ > > _ > > > OpenStack Development Mailing List (not for usage questions) > > > Unsubscribe: > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > _ > > _ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: OpenStack-dev- > requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
Hi, (sorry for using incorrect threading) > > About 2 weeks ago I did some light testing with the conntrack security > > group driver and the newly > > > > Merged upserspace conntrack support in ovs. > > By 'recently' - whether you mean patch v4 http://openvswitch.org/pipermail/dev/2016-June/072700.html or you used OVS 2.5 itself (which I think includes v2 of the same patch series)? So in general - I am a bit confused about conntrack support in OVS. OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016-February/81.html state: "This release includes the highly anticipated support for connection tracking in the Linux kernel. This feature makes it possible to implement stateful firewalls and will be the basis for future stateful features such as NAT and load-balancing. Work is underway to bring connection tracking to the userspace datapath (used by DPDK) and the port to Hyper-V." - in the way that 'work is underway' (=work is ongoing) means that a time of OVS 2.5 release the feature was not 'classified' as ready? BR, Konstantin > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K> wrote: > > Hi just a quick fyi, > > > > About 2 weeks ago I did some light testing with the conntrack security > > group driver and the newly > > > > Merged upserspace conntrack support in ovs. > > > > > > > > I can confirm that at least form my initial smoke tests where I > > > > Uses netcat ping and ssh to try and establish connections between two > > vms the > > > > Conntrack security group driver appears to function correctly with the > > userspace connection tracker. > > > > > > > > We have not looked at any of the performance yet but assuming it is at > > an acceptable level I am planning to > > > > Deprecate the learn action based driver in networking-ovs-dpdk and > > remove it once we have cut the stable newton > > > > Branch. > > > > > > > > We hope to do some rfc 2544 throughput testing to evaluate the > > performance sometime mid-September. > > > > Assuming all goes well I plan on enabling the conntrack based security > > group driver by default when the > > > > Networking-ovs-dpdk devstack plugin is loaded. We will also evaluate > > enabling the security group tests > > > > In our third party ci to ensure it continues to function correctly > > with ovs-dpdk. > > > > > > > > Regards > > > > Seán > > > > > > > > > > > _ > _ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _ > _ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
Awesome Sean!, Keep us posted!! :) On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean Kwrote: > Hi just a quick fyi, > > About 2 weeks ago I did some light testing with the conntrack security group > driver and the newly > > Merged upserspace conntrack support in ovs. > > > > I can confirm that at least form my initial smoke tests where I > > Uses netcat ping and ssh to try and establish connections between two vms > the > > Conntrack security group driver appears to function correctly with the > userspace connection tracker. > > > > We have not looked at any of the performance yet but assuming it is at an > acceptable level I am planning to > > Deprecate the learn action based driver in networking-ovs-dpdk and remove it > once we have cut the stable newton > > Branch. > > > > We hope to do some rfc 2544 throughput testing to evaluate the performance > sometime mid-September. > > Assuming all goes well I plan on enabling the conntrack based security group > driver by default when the > > Networking-ovs-dpdk devstack plugin is loaded. We will also evaluate > enabling the security group tests > > In our third party ci to ensure it continues to function correctly with > ovs-dpdk. > > > > Regards > > Seán > > > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk
Hi just a quick fyi, About 2 weeks ago I did some light testing with the conntrack security group driver and the newly Merged upserspace conntrack support in ovs. I can confirm that at least form my initial smoke tests where I Uses netcat ping and ssh to try and establish connections between two vms the Conntrack security group driver appears to function correctly with the userspace connection tracker. We have not looked at any of the performance yet but assuming it is at an acceptable level I am planning to Deprecate the learn action based driver in networking-ovs-dpdk and remove it once we have cut the stable newton Branch. We hope to do some rfc 2544 throughput testing to evaluate the performance sometime mid-September. Assuming all goes well I plan on enabling the conntrack based security group driver by default when the Networking-ovs-dpdk devstack plugin is loaded. We will also evaluate enabling the security group tests In our third party ci to ensure it continues to function correctly with ovs-dpdk. Regards Seán __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev