note that about veth performance : http://stackoverflow.com/questions/18858090/why-containers-network-throughput-is-low
" he question has been asked on the docker-user mailing list, and after some investigation, we found out that performance of veth in VMs with kernel 3.8 was "not great", and was significantly improved with kernel 3.10. " So, it should be tested ! (now that redhat support docker, maybe they have made improvement in veth) ----- Mail original ----- De: "Alexandre DERUMIER" <[email protected]> À: "Dietmar Maurer" <[email protected]> Cc: [email protected] Envoyé: Mercredi 23 Avril 2014 10:03:38 Objet: Re: [pve-devel] [PATCH] openvswitch hybrid network model implementation I wonder if that would help to solve above problems? >>And what performance would be get? I'm a bit worried about veth performance, all benchmarks I have see show around 4gbit/s. and with vmbr0<-->vethXXXiY<-->fwbrXXXiY<-->tapXXXiY, that's mean that 2 taps in the same brige/vlan, show communicate through 2 veth. So maybe performance impact is bigger than have a lot of rules. >>1.) I does not work 100% out of the box (needs veth hack). Difficult to >>explain to users. yes indeed >>2.) iptables chains grows if we have many VM (clumsy) I'm not I'll be different, because you need to parse all tap chains to find the good one. in 1 direction only, but it need to done twice, for each bridge >>3.) does not work with OVS well, for ovs + tapbridge, it's working fine now ;) >>Also note that we do not need to enable netfilter on vmbr0 with this setup. >>so we can >>completely exclude VMs from using the firewall (such VM won't notice a >>performance >>penalty). do you wan to plug vm without firewall directly on vmbr0 ? Or is it possible to disable netfilter on a specific fwbrXXXiY ? But, we have also ovs now, so maybe users could choose ovs, if they want more performance. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre Derumier" <[email protected]>, [email protected] Envoyé: Mercredi 23 Avril 2014 08:57:51 Objet: RE: [pve-devel] [PATCH] openvswitch hybrid network model implementation Hi Alexandre, to be honest, I am also not particularly happy with the current linux bridge based implementation, because 1.) I does not work 100% out of the box (needs veth hack). Difficult to explain to users. 2.) iptables chains grows if we have many VM (clumsy) 3.) does not work with OVS So I wonder if we could use a similar approach for linux bridge instead? We currently have: veth0<-->vmbr0<-->tapXXXiY vmbr0<-->vethXXXiY<-->fwbrXXXiY<-->tapXXXiY I wonder if that would help to solve above problems? And what performance would be get? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
