x
/
fuel-plugin-contrail
Code Issues Proposed changes

Spec for SR-IOV feature 

Change-Id: Id7ef1f9908969a251005ba23bc4a0b45a819f01f
This commit is contained in:
Przemysław 2016-07-26 15:24:43 +02:00 committed by Oleksandr Martsyniuk
parent 43ef34dac5
commit ad8f5c940b
1 changed files with 217 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

354
specs/spec-4.0.1.rst
View File

@ -287,143 +287,6 @@ Requirements
None
DPDK-based vRouter on virtual function (VF)
===========================================
Problem description
-------------------
DPDK (Data Plane Development Kit) allows access to the hardware directly from
applications by passing Linux networking stack (binding interface will not be
seen by the kernel). This reduces latency and allows more packets to be processed.
However, it has many `limitations <http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#improving-response-time>`_
and many features that Linux provides are not available with DPDK. Binding interface is not
seen by the kernel and accordingly - the user can't reuse it. For environment with complex network
schema or on servers with low amount of network interfaces it can be significant disadvantage.
Proposed solution
-----------------
Instead of whole interface use the Virtual Function as a target for DPDK-based
vRouter. This will allow to use same hardware adapter as used for DPDK-based vRouter for other purposes.
UI impact
---------
Checkbox in DPDK section of contrail settings. It will be disabled by default.
Also DPDK and SRIOV roles need to be assigned on node to enable this feature
(more details will be described in documentation).
Performance impact
------------------
No additional impact compared to the main DPDK feature.
Documentation Impact
--------------------
User guide should be updated with information about usage of this feature.
Upgrade impact
--------------
None
Data model impact
-----------------
None
Other end user impact
---------------------
None
Security impact
---------------
None
Notifications impact
--------------------
None
Requirements
------------
None
Enable HTTPS for public Contrail endpoints
==========================================
Problem description
-------------------
OpenStack and Contrail services receive requests from public networks that are untrusted area.
As the network path between the end-users and the services is untrusted, encryption is required to
ensure confidentiality. This can be achieved by implementing Secure Sockets Layer as recommended in
the OpenStack security guide.
Proposed solution
-----------------
Fuel can configure secure access for public-facing OpenStack services such as Nova API and Horizon
by configuring Haproxy to recieve SSL connections as described in [2].
However, Contrail configuration API has no encryption enabled, but is exposed on public endpoint.
Contrail Web UI has SSL enabled, but uses self-signed certificate by default.
Fuel Contrail plugin should inherit SSL/TLS settings from Fuel UI configuration and configure
encrypted public endpoints for Contrail API and Contrail Web UI using the hostname and cerificate
shared with Horizon.
UI impact
---------
There are no changes in plugin settings tab.
Performance impact
------------------
The SSL-overhead is generally small. The major cost of HTTPS is the SSL handshaking so depending the
typical session length and the caching behavior of clients the overhead may be different. For very
short sessions you can see performance issue.
Documentation Impact
--------------------
None
Upgrade impact
--------------
None
Data model impact
-----------------
None
Other end user impact
---------------------
None
Security impact
---------------
Using encrypted connections to Contrail API via public network and using Horizon certificate for
Contrail Web UI improves the confidentiality and security.
Notifications impact
--------------------
None
Requirements
------------
None
DPDK-based vRouter feature
==========================
@ -505,6 +368,222 @@ Requirements
Network card on Computes which are selected to use DPDK, should support DPDK.
_`List of supported NICs <http://dpdk.org/doc/nics>`
Enable SRIOV for Contrail
=========================
Problem description
-------------------
The PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification
defines a standardized mechanism to create natively shared devices providing dedicated
resources within the Ethernet controller (Physical Function) via Virtual Functions.
Contrail supports SR-IOV starting from version 3.0, so the Fuel Contrail plugin should
also support this feature.
Proposed solution
-----------------
To select the compute nodes with SR-IOV enabled, a plugin-defined role will be added.
The NICs on hosts carrying this role will be configured to use the maximum number of VFs
supported on the particular system. The network cards for SR-IOV are selected to satisfy
such conditions:
- NIC supports SR-IOV
- NIC is not a part of any bond, bridge and is not used with vRouter
- link state is up
The list of PCI IDs of SR-IOV NICs will be added to pci_passthrough_whitelist on compute nodes,
PciPassthroughFilter will be enabled on controllers.
UI impact
---------
SR-IOV compute role should be present in list of node roles.
Plugin settings should have a checkbox that enables SR-IOV globally.
A field with physnet name for SR-IOV should be added to plugin settings.
Performance impact
------------------
SR-IOV makes it possible to run a large number of VMs with high network load per compute host
without increasing the number of physical NICs, off-loading the hypervisor and significantly improving
both throughput and gaining deterministic network performance.
Documentation Impact
--------------------
User guide should be updated with information on how to enable SR-IOV
Upgrade impact
--------------
None
Data model impact
-----------------
None
Other end user impact
---------------------
A new role with name 'SR-IOV' will be available for assigning to
computes in nodes tab of the Fuel Web UI.
Security impact
---------------
None
Notifications impact
--------------------
None
Requirements
------------
Compute nodes are expected to be equipped with network cards cappable of SR-IOV,
SR-IOV must be enabled in BIOS settings.
DPDK-based vRouter on virtual function (VF)
===========================================
Problem description
-------------------
DPDK (Data Plane Development Kit) allows access to the hardware directly from
applications by passing Linux networking stack (binding interface will not be
seen by the kernel). This reduces latency and allows more packets to be processed.
However, it has many `limitations <http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#improving-response-time>`_
and many features that Linux provides are not available with DPDK. Binding interface is not
seen by the kernel and accordingly - the user can't reuse it. For environment with complex network
schema or on servers with low amount of network interfaces it can be significant disadvantage.
Proposed solution
-----------------
Instead of whole interface use the Virtual Function as a target for DPDK-based
vRouter. This will allow to use same hardware adapter as used for DPDK-based vRouter for other purposes.
UI impact
---------
Checkbox in DPDK section of contrail settings. It will be disabled by default.
Also DPDK and SRIOV roles need to be assigned on node to enable this feature
(more details will be described in documentation).
Performance impact
------------------
No additional impact compared to the main DPDK feature.
Documentation Impact
--------------------
User guide should be updated with information about usage of this feature.
Upgrade impact
--------------
None
Data model impact
-----------------
None
Other end user impact
---------------------
None
Security impact
---------------
None
Notifications impact
--------------------
None
Requirements
------------
None
Enable HTTPS for public Contrail endpoints
==========================================
Problem description
-------------------
OpenStack and Contrail services receive requests from public networks that are untrusted area.
As the network path between the end-users and the services is untrusted, encryption is required to
ensure confidentiality. This can be achieved by implementing Secure Sockets Layer as recommended in
the OpenStack security guide.
Proposed solution
-----------------
Fuel can configure secure access for public-facing OpenStack services such as Nova API and Horizon
by configuring Haproxy to recieve SSL connections as described in [2].
However, Contrail configuration API has no encryption enabled, but is exposed on public endpoint.
Contrail Web UI has SSL enabled, but uses self-signed certificate by default.
Fuel Contrail plugin should inherit SSL/TLS settings from Fuel UI configuration and configure
encrypted public endpoints for Contrail API and Contrail Web UI using the hostname and cerificate
shared with Horizon.
UI impact
---------
There are no changes in plugin settings tab.
Performance impact
------------------
The SSL-overhead is generally small. The major cost of HTTPS is the SSL handshaking so depending the
typical session length and the caching behavior of clients the overhead may be different. For very
short sessions you can see performance issue.
Documentation Impact
--------------------
None
Upgrade impact
--------------
None
Data model impact
-----------------
None
Other end user impact
---------------------
None
Security impact
---------------
Using encrypted connections to Contrail API via public network and using Horizon certificate for
Contrail Web UI improves the confidentiality and security.
Notifications impact
--------------------
None
Requirements
------------
None
Implementation
==============
@ -549,6 +628,7 @@ Work items
- Update the manifests to use ssl settings for haproxy
- Add checkbox to environment config
- Make network provisioning conditional
- Add checkbox for SR-IOV feature
- Add checkbox for DPDK on VF feature
- Add additional puppet class that will enable DPDK on VF feature on compute nodes
- Ensure idempotency of DPDK on VF feature in puppet code.