[Users] [TRD] Changes in network shaping for vz7
Maxim Perevedentsev
mperevedentsev at parallels.com
Mon Jul 20 09:54:50 PDT 2015
*1. Feature
**a)* Switch from CBQ traffic shaper to HTB.
https://jira.sw.ru/browse/PSBM-18245
*b)* Added packet rate limitation.
https://jira.sw.ru/browse/PSBM-17708
*2. Description
**a) *HTB traffic shaper has following advantages:
* higher accuracy
* does not need bandwidth for interfaces
Therefore we made bandwidth rate optional in vz.conf:
https://jira.sw.ru/browse/PSBM-28834?focusedCommentId=2503775&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2503775
We use BANDWIDTH parameter from vz.conf only to get list of configured
devices. So
BANDWIDTH="eth0 eth1:100000"
is a valid syntax now.
*b)* To prevent e.g. DoS attacks it is not enough to limit outgoing
bandwidth. Despite being limited in bandwidth, we still can produce a
great number of packets. Thus we need to limit packet rate along with
byte rate.
This feature is implemented using HTB 'mpu' (Minimum packet unit) param.
It makes small packets with size < MPU bytes consume MPU HTB tokens.
Consequently, the maximum allowed packet rate is
TOTALRATE (bytes) / MPU (bytes/packet).
We introduce a new *optional* parameter in vz.conf:
RATEMPU="<dev|*>:<class>[:<mpu>] ..."
1. If <dev>:<class> is not present in RATEMPU, no packet rate
limitation is done for it.
2. If <mpu> is not present for <dev>:<class>, then the default MPU
(1000) is used.
The default value of 1000 (not e.g. mtu ~ 1500) was chosen because too
high MPU makes configured TOTALRATE unreachable (TOTALRATE can be
reached only with packets of size >= MPU; such large packets are
unusual). The value of 1000 is big enough to prevent DoS but realistic
in terms of packet size.
To implement this feature we made the following modifications:
1. Added RateMPU integer parameter to NetworkConfig.xsd in SDK
(*default: 0 - enabled*).
2. Added NRM_ENABLED=0, NRM_DISABLED=-1 to PrlEnums.h in SDK.
3. Added PrlNetworkShapingEntry_Get(Set)RateMPU functions to
PrlApiNet.h in SDK.
4. Added RATEMPU param to default config in vzctl, added entry to 'man
5 vz'.
5. Necessary implementation.
RATEMPU is enabled by default for every newly created
NetworkShapingEntry. The values 0 and -1 are special, reserved for
constants NRM_ENABLED (use default MPU value) and NRM_DISABLED (do not
limit packet rate for this entry).
*3. Products
*Virtuozzo 7 beta1
Packages:
*
**a)
*
* libvzctl >= 7.0.61
*b)*
* libprlsdk >= 7.0.20
* prl-disp-service >= 7.0.68
* libvzctl >= 7.0.70
* vzctl >= 7.0.50
*4. Testing
*Need to test the following cases:
*
a)*
* Shaper is accurate, even for high rates (~1Gbit/s).
*b)*
* mpu parameter is used by HTB and shown in "tc -d class show ..."
* packet rate is limited by value of TOTALRATE / RATEMPU.
* packet rate limit is enabled for newly-created shaping entries with
default RATEMPU (1000).
* packet rate is disabled (if arg == -1) or RATEMPU value is equal to
given value (arg > 0) according to SetRateMPU() argument.
*5. Known issues
*
For mpu >= 300, there is some magic in tc, so given mpu value is split
into 'mpu' and 'overhead' parameters. *
*
mpu HTB parameter is (was?) ignored in vz7:
https://jira.sw.ru/browse/PSBM-34874
*6. What was checked by developer
*
*a) *Two servers connected with a crossover. Measured HTB accuracy, got
the following results:
https://jira.sw.ru/browse/PSBM-18245?focusedCommentId=2525949&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2525949
*b) *Nothing. See section 5.
*7. Feature owner*
*a) *igor at odin.com
*b) *mperevedentsev at odin.com
--
Sincerely,
Maxim Perevedentsev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20150720/16b36bd7/attachment.html>
More information about the Users
mailing list