[pve-devel] [PATCH] openvswitch hybrid network model implementation

Wed Apr 23 10:08:15 CEST 2014

note that about veth performance :

http://stackoverflow.com/questions/18858090/why-containers-network-throughput-is-low

"
he question has been asked on the docker-user mailing list, and after some investigation, we found out that performance of veth in VMs with kernel 3.8 was "not great", and was significantly improved with kernel 3.10.
"

So, it should be tested ! (now that redhat support docker, maybe they have made improvement in veth)

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 23 Avril 2014 10:03:38 
Objet: Re: [pve-devel] [PATCH] openvswitch hybrid network model implementation 

I wonder if that would help to solve above problems? 

>>And what performance would be get? 

I'm a bit worried about veth performance, all benchmarks I have see show around 4gbit/s. 

and with vmbr0<-->vethXXXiY<-->fwbrXXXiY<-->tapXXXiY, that's mean that 2 taps in the same brige/vlan, show communicate through 2 veth. 

So maybe performance impact is bigger than have a lot of rules. 

>>1.) I does not work 100% out of the box (needs veth hack). Difficult to explain to users. 
yes indeed 

>>2.) iptables chains grows if we have many VM (clumsy) 
I'm not I'll be different, because you need to parse all tap chains to find the good one. 
in 1 direction only, but it need to done twice, for each bridge 

>>3.) does not work with OVS 
well, for ovs + tapbridge, it's working fine now ;) 

>>Also note that we do not need to enable netfilter on vmbr0 with this setup. so we can 
>>completely exclude VMs from using the firewall (such VM won't notice a performance 
>>penalty). 
do you wan to plug vm without firewall directly on vmbr0 ? 
Or is it possible to disable netfilter on a specific fwbrXXXiY ? 

But, we have also ovs now, so maybe users could choose ovs, if they want more performance. 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 23 Avril 2014 08:57:51 
Objet: RE: [pve-devel] [PATCH] openvswitch hybrid network model implementation 

Hi Alexandre, 

to be honest, I am also not particularly happy with the current linux bridge based 
implementation, because 

1.) I does not work 100% out of the box (needs veth hack). Difficult to explain to users. 
2.) iptables chains grows if we have many VM (clumsy) 
3.) does not work with OVS 

So I wonder if we could use a similar approach for linux bridge instead? 
We currently have: 

veth0<-->vmbr0<-->tapXXXiY 

vmbr0<-->vethXXXiY<-->fwbrXXXiY<-->tapXXXiY 

I wonder if that would help to solve above problems? And what performance would be get? 