Changes in network shaping for Virtuozzo 7

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search

Feature[edit]

a) Switch from CBQ traffic shaper to HTB. https://jira.sw.ru/browse/PSBM-18245

b) Added packet rate limitation. https://jira.sw.ru/browse/PSBM-17708

Description[edit]

a) HTB traffic shaper has following advantages:

  • higher accuracy
  • does not need bandwidth for interfaces

Therefore we made bandwidth rate optional in vz.conf: https://jira.sw.ru/browse/PSBM-28834?focusedCommentId=2503775&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2503775

We use BANDWIDTH parameter from vz.conf only to get list of configured devices. So 

  BANDWIDTH="eth0 eth1:100000"

is a valid syntax now.

b) To prevent e.g. DoS attacks it is not enough to limit outgoing bandwidth. Despite being limited in bandwidth, we still can produce a great number of packets. Thus we need to limit packet rate along with byte rate.

This feature is implemented using HTB 'mpu' (Minimum packet unit) param. It makes small packets with size < MPU bytes consume MPU HTB tokens. Consequently, the maximum allowed packet rate is TOTALRATE (bytes) / MPU (bytes/packet).

We introduce a new *optional* parameter in vz.conf: RATEMPU="<dev|*>:<class>[:<mpu>] ..."

1. If <dev>:<class> is not present in RATEMPU, no packet rate limitation is done for it. 2. If <mpu> is not present for <dev>:<class>, then the default MPU (1000) is used.

The default value of 1000 (not e.g. mtu ~ 1500) was chosen because too high MPU makes configured TOTALRATE unreachable (TOTALRATE can be reached only with packets of size >= MPU; such large packets are unusual). The value of 1000 is big enough to prevent DoS but realistic in terms of packet size.

To implement this feature we made the following modifications:

1. Added RateMPU integer parameter to NetworkConfig.xsd in SDK (*default: 0 - enabled*). 2. Added NRM_ENABLED=0, NRM_DISABLED=-1 to PrlEnums.h in SDK. 3. Added PrlNetworkShapingEntry_Get(Set)RateMPU functions to PrlApiNet.h in SDK. 4. Added RATEMPU param to default config in vzctl, added entry to 'man 5 vz'. 5. Necessary implementation.

RATEMPU is enabled by default for every newly created NetworkShapingEntry. The values 0 and -1 are special, reserved for constants NRM_ENABLED (use default MPU value) and NRM_DISABLED (do not limit packet rate for this entry).

Products[edit]

Virtuozzo 7 beta1

Packages:

a)

  • libvzctl >= 7.0.61

b)

  • libprlsdk >= 7.0.20
  • prl-disp-service >= 7.0.68
  • libvzctl >= 7.0.70
  • vzctl >= 7.0.50

Testing[edit]

Need to test the following cases:

a) Shaper is accurate, even for high rates (~1Gbit/s).

b)

  • mpu parameter is used by HTB and shown in "tc -d class show ..."
  • packet rate is limited by value of TOTALRATE / RATEMPU.
  • packet rate limit is enabled for newly-created shaping entries with default RATEMPU (1000).
  • packet rate is disabled (if arg == -1) or RATEMPU value is equal to given value (arg > 0) according to SetRateMPU() argument.

Known issues[edit]

For mpu >= 300, there is some magic in tc, so given mpu value is split into 'mpu' and 'overhead' parameters.

mpu HTB parameter is (was?) ignored in vz7: https://jira.sw.ru/browse/PSBM-34874

What was checked by developer[edit]

a) Two servers connected with a crossover. Measured HTB accuracy, got the following results: https://jira.sw.ru/browse/PSBM-18245?focusedCommentId=2525949&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2525949

b) Nothing. See section 5.

Feature owner[edit]

  • igor at virtuozzo.com
  • mperevedentsev at virtuozzo.com

See also[edit]

Retrieved from "https://wiki.openvz.org/index.php?title=Changes_in_network_shaping_for_Virtuozzo_7&oldid=17809"