-
Notifications
You must be signed in to change notification settings - Fork 29
[Feature] Zeta integration implementation #149
Comments
Hello, I will follow up on this issue. |
@zhangml - cool, I have assigned this issue to you. Do let me know if you have any questions on this. |
Hi, Eric, I want to know more about the meaning of "Goal state message change from Alcor server to ACA". |
Hi @zhangml - the Goal state message is used for communication between Alcor Server to ACA, with Zeta support, we will likely need to change the message format (aka contract). This is a needed change for Zeta and I am thinking the Alcor team (possibly me) will take care of it. |
In #148 Manual construction and testing of openflow rule for Zeta integration. To install the direct path, the following flow table needs to be issued:
At the same time, deleting the direct path also needs to delete these flow entries. However, the OAM Flow Deletion type data packet does not contain the mac address information of the destination instance. |
@zhangml - a few comments:
To sum up, we will need to adjust the manual openflow rules. Please work with @Zqy11 on this. Thanks. |
In OAM patcket, what is the difference between Inner Packet DIP and Destination Inst IP? |
I think they are the same. @liangbin-pub can you confirm? |
When Destination IP is a service virtual IP, the OAM will return with real IP (instance IP of the service vIP) for final encapsulation |
Hello, the first packet uploaded to zeta also passes through the vxlan tunnel, which means that a vxlan tunnel port needs to be added to the Zeta gateway and computing node. Who should perform this operation? Do I need to consider the creation of a vxlan tunnel port when processing AuxGateway messages? |
Not sure what you mean by port here, one host will talk to thousands of hosts, including gateway, all with vxlan encap. If we have to create thousands of tunnel ports in order to do vxlan encap, that would be a nightmare.
At gateway, we certainly won't rely on having a "tunnel port" to do encap/decap. It's just one field in our flow tables.
Remember, vxlan identifies a "network", based on which "network" the sender belongs to, has nothing to do with receiver. Hope this helps.
Thanks,
Bin
…________________________________
From: zml <[email protected]>
Sent: Thursday, November 12, 2020 2:35 AM
To: futurewei-cloud/alcor-control-agent <[email protected]>
Cc: Bin Liang <[email protected]>; Mention <[email protected]>
Subject: Re: [futurewei-cloud/alcor-control-agent] [Feature] Zeta integration implementation (#149)
Hello, the first packet uploaded to zeta also passes through the vxlan tunnel, which means that a vxlan tunnel port needs to be added to the Zeta gateway and computing node. Who should perform this operation? Do I need to consider the creation of a vxlan tunnel port when processing AuxGateway messages?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ffuturewei-cloud%2Falcor-control-agent%2Fissues%2F149%23issuecomment-725927918&data=04%7C01%7Cbin.liang%40futurewei.com%7Cc606260988df47d812c008d886e5ecb2%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637407669358327828%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jTnKQaly8cv8jx12PxOQ%2BtCWmH%2BgXUaeBJVqPY18m28%3D&reserved=0>, or unsubscribe<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMUSBBRSTFUAOCJKGTZWG3DSPOM5JANCNFSM4SXU63DA&data=04%7C01%7Cbin.liang%40futurewei.com%7Cc606260988df47d812c008d886e5ecb2%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637407669358337815%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Lbu6W4PjfwcfFub2SSyqMSn4VtN5bCbnkXsCO7T3F4A%3D&reserved=0>.
|
Okay, got it. In other words, the sending source does not care whether the destination vtep interface has been created, nor does it matter how the peer end decapsulates. But I have a new problem: the original data packet sent to the zeta gateway needs to encapsulate the gateway's ip and mac information in the outer layer, and this can be done through a vtep. But if there is no vtep corresponding to the gateway ip on the computing node after the zeta state message is delivered, do we need to create a vtep interface on the computing node? If necessary, is it done by the way in this step of “zeta goal state message processing”? |
Hi,Eric. I have two programming questions.
|
I discussed with Bin this morning. The way ACA is doing today is to create the vtep outport based on remote IP. It is similar to openstack and other samples I found. Zeta implementation doesn't need to follow the same way. Please spend a day or two to see if there is a better way suggested by Bin's highlevel idea. Work with @Zqy11 on this. If you two confirmed there is no other way, then you can follow the current ACA approach.
Yes.
No, the AuxGateway message is part of VpcState message which already has operation_type.
@cj-chung - what do you think? Can @zhangml easily add that support? The group rule looks like:
let's do this for good code seperation: Note that the contract change has been merged into Alcor master. You can simply update your git clone's Alcor submodule to see the latest contract with preliminary Zeta support. futurewei-cloud/alcor#467 |
For the test environment setup and test code change. Can we have @Zqy11 to focus help on that? It is a critical item as we move into the next phrase of the project. |
@zhangml - FYI, this is how I consume the new contract in my branch: The highlevel steps are: And you can pull my change into your branch if you like :) |
Hello,Eric. I have updated the PR for tomorrow's discussion, but there are still some parts of the code that are not completed. |
#158 I added an aca_oam_port_manager file to track and manage the life cycle of the oam port, and install oam punt rules. |
Hi,Eric @er1cthe0ne . Regarding GoalState &parsed_struct, I want to know that it saves information about all aspects of the network (such as vpcstate, portstate, subnetstate)? If so, is this information complete? |
I noticed that the parameter neighbor_id was added to the parameters of create_or_update_neighbor_port(). When issuing the direct route, if you need to create a neighbour_port, how do you get the corresponding neighbour_id?
|
Hi @zhangml - the current ACA implementation on neighbor communication is restrictive in the sense that both source and destination sides needs to create a specific "outport" using remote host IP in order to establish the communication (both both unicast and multicast). @liangbin-pub and I discussed on this and we believe the security benefit of this approach is minimal, it will filter out bad traffic from a compromised host. For Zeta, if we follow the same approach, it will mean ZGC has to send two OAM packets, one to source host and one to destination host for programming. Since the benefit is minimal as mention above, we will remove this "outport" per remote host IP requirement and use a generic VXLAN outport for both source and destination side. Either just one outport for all vxlan traffic, or it will be better to create one per VPC which has the same VNI and internal VLAN ID. Please work with @Zqy11 to manually try out how the rules would look like based on this approach. Going back to your question on do you need neighbor_id to track Zeta information. It really depends on what we need to track when a zeta enabled port is created/updated/deleted and also what we need to track to handle OAM flow inject/delete packet. Once we tested the manual rules which includes unicast/multicast and this generic vxlan outport, and have your PR fully merged with my port delete change. You can take a stab on the data structure needed. Many we can consider the below: struct vpc_table_entry { |
@zhangml - FYI we just made another contract change addessing a list of planned items. Please review the corresponding ACA change in my branch which is planning to merge into master soon: https://github.com/er1cthe0ne/alcor-control-agent/tree/schema/update |
Hi,Eric. @er1cthe0ne Is there a way to find vlan_id or vpc_id through tunnel_id? Because when installing direct path, vlan_id needs to be converted to tunnel_id through flow table rules. |
@zhangml - we can add a few field into the below structure: struct vpc_table_entry { and populate tunnel_id whenever a new vpc_table_entry maybe needed. After that, we can simply iterate through all vpc_table_entry, find the one has the matching tunnel_id and then we can find the corresponding vlan_id. |
The oam port can also use a similar method to track, but if you want to search, because the key of the vpc_table is vpc_id, it may need to traverse all vpc_table_entry, and the result cannot be obtained in O(1) time through the hash. |
I agree. Since VNI is unique for the region, do you think we can simply use VNI as the key to unordered_map<string, vpc_table_entry> _vpcs_table ? I think that's possible. |
I personally think that vpc_tables may need to be traversed twice during the entire oam packet processing. The first time is in aca_ovs_control::parse_packet(). In this process, you need to check whether the udp destination port is a valid oam server port. If you do not introduce a hash table with oam port as the key, you may need to traverse all vpc_tables once . The second time is to convert vlan_id to tunnel id and it needs to traverse all vpc_tables once. It may be time-consuming if two traversals are required for each oam packet processed. So I think it is better to use VNI as the key, which can eliminate the second traversal. |
For aca_ovs_control::parse_packet(), we need to be careful to not add extra latency because there could be quite a bit of packet_in message send to aca_ovs_control::parse_packet(), that includes OAM, DHCP, ARP, and other L3 packets for on demand routing. Because of that, we will need to introduce a known OAM ports cache to do the valid oam server port check quickly. My thinking is once confirmed it is a valid oam port, it will then send to our OAM packet processing code and re-check there to see it is a valid and known VNI before adding/deleting the direct path rule. For the second pass, let's change the data structure to use VNI as key to eliminate the traveral. |
The outport created by alcor has its own neighbor id, while the outport created locally by aca such as oam packet does not have the neighbor id. So can we also abandon neighbor id? In this way, all neighbor ports can be stored in a table. The other way is to use the current neighbor table results, but assign a meaningless neighbor ID to all locally created neighbor ports.
|
My suggestion above will require changes to existing code. But I think it is still an approach that we can take.
The neighbor id was used to managed the life time of the outport, so multiple neighbors can share one outport, and the outport is only deleted when all the assoicated neighbors are deleted. We can simply abandon it without finding another way to track the life time.
Not sure if we can use a meaningless neighbor ID to track the life time of the outport. |
Hi,Eric. I am performing functional testing of my code and encountered some problems. I installed unicast rules through the following code.
In ACA_OVS_Control::add_flow(), the output port will report an error:output to unknown port. But I found that the port has been created by running "ovs-vsctl show", and running the flow table command directly on the console can be installed successfully. My outport_name is obtained through the "aca_get_outport_name()" method. I guess in ACA_OVS_Control::add_flow(), is there any other ID representation for outport_name? |
The problem you describe is tracked by number 4 in #120. We didn't have a chance to investigate that yet. For the time being, please use the old way to add flows: execute_openflow_command Please go ahead to push what you have into your branch. I may go in and fix some existing test failures this weekend. |
Hi.Eric. Is the id in the "message auxgateway" also a UUID, or is it a string corresponding to a specific number, such as "111"? Because each group entry in ovs needs to specify a group id, which is a number.
|
the "id" field is the ZGC id, that's an UUID which have 32 hex of info: "id": "f81d4fae-7dec-11d0-a765-00a0c91e6bf6", It will be better to generate an unique number to use for the group entry and track it inside ACA. See the below as an example, be sure to think about reclaiming when resource is deleted: static atomic_uint current_available_vlan_id(1); Another solution is the hash on the ZGC id to int, but there is always a chance of hash collision even the possibility is small. |
@zhangml Below is the output to confirm options:remote_ip=0.0.0.0 is accepted in OVS: As @liangbin-pub mentioned, let's go with options:remote_ip=flow approach, the next step is to try out the openflow rules manually to confirm it is able use it to send out packets from the source node, and receive packets on the destination node. Details please see |
After a simple test, "remote_ip=flow" should be able to achieve our functions. I added the following flow tables on the two nodes:
or computer2 172.16.62.239
Build docker71:192.168.1.71 on computer1 , and build docker91:192.168.1.91 on computer2 ,and set vlan_id to 1. docker91 can receive the traffic sent by docker71. The main difference between "remote_ip=flow" and "remote_ip=neighbor_ip" is that the former needs to set the tun_dst field through the openflow flow table. For example, set_field:ip->tun_dst. remote_ip=flow means tunnel destination IP will be set by an OpenFlow action. This allows us to add different actions for different destinations using the single OVS/OF port. |
@zhangml - to support the scale requirement, ACA (non-zeta ports) will likely switch to using generic vxlan outport. Here is my manual experiment to confirm that it should work: https://github.com/futurewei-cloud/alcor-control-agent/wiki/Testing-environment-for-using-generic-vxlan-outport I haven't start that change yet. Here is the change I have been doing to remove the top level vpc_table lock and code changes for performance analysis: https://github.com/er1cthe0ne/alcor-control-agent/tree/perf/hashtable |
@er1cthe0ne Can a vpc have several auxGateway at the same time? Can a vpc have multiple different types of auxGateway at the same time? |
@zhangml - a vpc can have:
|
Can these three types of auxgateway be owned at the same time? For example, a vpc has both a zeta and a NAT? |
yes, a VPC can have Zeta and NAT auxGateway at the same time. |
implementation merged as #180 |
Context
This is to track the implementation work in ACA to support Zeta integration, it would follow the design document #147
Proposed Code Changes
(to be updated based on design document #147)
a. done - Goal state message change from Alcor server to ACA
b. done - What are the new function names, should create the dummy functions in ACA
b. Send traffic to different group buckets
c. OAM packet handling, what is the new openflow rule to be programmed
d. Test code updates
Remaining Items
Other Items
@zhangml
The text was updated successfully, but these errors were encountered: