[Devel] [TRD] Changes in network shaping for vz7

Maxim Perevedentsev mperevedentsev at parallels.com
Mon Jul 20 09:54:50 PDT 2015



*1. Feature

**a)* Switch from CBQ traffic shaper to HTB.
https://jira.sw.ru/browse/PSBM-18245

*b)* Added packet rate limitation.
https://jira.sw.ru/browse/PSBM-17708

*2. Description

**a) *HTB traffic shaper has following advantages:

  * higher accuracy
  * does not need bandwidth for interfaces

Therefore we made bandwidth rate optional in vz.conf:
https://jira.sw.ru/browse/PSBM-28834?focusedCommentId=2503775&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2503775

We use BANDWIDTH parameter from vz.conf only to get list of configured 
devices. So
   BANDWIDTH="eth0 eth1:100000"
is a valid syntax now.


*b)* To prevent e.g. DoS attacks it is not enough to limit outgoing 
bandwidth. Despite being limited in bandwidth, we still can produce a 
great number of packets. Thus we need to limit packet rate along with 
byte rate.

This feature is implemented using HTB 'mpu' (Minimum packet unit) param. 
It makes small packets with size < MPU bytes consume MPU HTB tokens. 
Consequently, the maximum allowed packet rate is
TOTALRATE (bytes) / MPU (bytes/packet).

We introduce a new *optional* parameter in vz.conf:
RATEMPU="<dev|*>:<class>[:<mpu>] ..."

 1. If <dev>:<class> is not present in RATEMPU, no packet rate
    limitation is done for it.
 2. If <mpu> is not present for <dev>:<class>, then the default MPU
    (1000) is used.

The default value of 1000 (not e.g. mtu ~ 1500) was chosen because too 
high MPU makes configured TOTALRATE unreachable (TOTALRATE can be 
reached only with packets of size >= MPU; such large packets are 
unusual). The value of 1000 is big enough to prevent DoS but realistic 
in terms of packet size.

To implement this feature we made the following modifications:

 1. Added RateMPU integer parameter to NetworkConfig.xsd in SDK
    (*default: 0 - enabled*).
 2. Added NRM_ENABLED=0, NRM_DISABLED=-1 to PrlEnums.h in SDK.
 3. Added PrlNetworkShapingEntry_Get(Set)RateMPU functions to
    PrlApiNet.h in SDK.
 4. Added RATEMPU param to default config in vzctl, added entry to 'man
    5 vz'.
 5. Necessary implementation.

RATEMPU is enabled by default for every newly created 
NetworkShapingEntry. The values 0 and -1 are special, reserved for 
constants NRM_ENABLED (use default MPU value) and NRM_DISABLED (do not 
limit packet rate for this entry).

*3. Products

*Virtuozzo 7 beta1

Packages:
*
**a)
*

  * libvzctl >= 7.0.61

*b)*

  * libprlsdk >= 7.0.20
  * prl-disp-service >= 7.0.68
  * libvzctl >= 7.0.70
  * vzctl >= 7.0.50

*4. Testing

*Need to test the following cases:
*
a)*

  * Shaper is accurate, even for high rates (~1Gbit/s).

*b)*

  * mpu parameter is used by HTB and shown in "tc -d class show ..."
  * packet rate is limited by value of TOTALRATE / RATEMPU.
  * packet rate limit is enabled for newly-created shaping entries with
    default RATEMPU (1000).
  * packet rate is disabled (if arg == -1) or RATEMPU value is equal to
    given value (arg > 0) according to SetRateMPU() argument.

*5. Known issues
*

For mpu >= 300, there is some magic in tc, so given mpu value is split 
into 'mpu' and 'overhead' parameters. *
*

mpu HTB parameter is (was?) ignored in vz7:
https://jira.sw.ru/browse/PSBM-34874

*6. What was checked by developer
*

*a) *Two servers connected with a crossover. Measured HTB accuracy, got 
the following results:
https://jira.sw.ru/browse/PSBM-18245?focusedCommentId=2525949&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2525949

*b) *Nothing. See section 5.

*7. Feature owner*

*a) *igor at odin.com
*b) *mperevedentsev at odin.com

-- 
Sincerely,
Maxim Perevedentsev





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/devel/attachments/20150720/16b36bd7/attachment-0001.html>


More information about the Devel mailing list