| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jan 2011 19:16:29 -0800 From: John Fastabend <john.r.fastabend@...el.com> To: Jay Vosburgh <fubar@...ibm.com> CC: "Oleg V. Ukhno" <olegu@...dex-team.ru>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "David S. Miller" <davem@...emloft.net> Subject: Re: [PATCH] bonding: added 802.3ad round-robin hashing policy for single TCP session balancing On 1/14/2011 4:05 PM, Jay Vosburgh wrote: > Oleg V. Ukhno <olegu@...dex-team.ru> wrote: >> Jay Vosburgh wrote: >> >>> This is a violation of the 802.3ad (now 802.1ax) standard, 5.2.1 >>> (f), which requires that all frames of a given "conversation" are passed >>> to a single port. >>> >>> The existing layer3+4 hash has a similar problem (that it may >>> send packets from a conversation to multiple ports), but for that case >>> it's an unlikely exception (only in the case of IP fragmentation), but >>> here it's the norm. At a minimum, this must be clearly documented. >>> >>> Also, what does a round robin in 802.3ad provide that the >>> existing round robin does not? My presumption is that you're looking to >>> get the aggregator autoconfiguration that 802.3ad provides, but you >>> don't say. > > I'm still curious about this question. Given the rather > intricate setup of your particular network (described below), I'm not > sure why 802.3ad is of benefit over traditional etherchannel > (balance-rr / balance-xor). > >>> I don't necessarily think this is a bad cheat (round robining on >>> 802.3ad as an explicit non-standard extension), since everybody wants to >>> stripe their traffic across multiple slaves. I've given some thought to >>> making round robin into just another hash mode, but this also does some >>> magic to the MAC addresses of the outgoing frames (more on that below). >> Yes, I am resetting MAC addresses when transmitting packets to have switch >> to put packets into different ports of the receiving etherchannel. > > By "etherchannel" do you really mean "Cisco switch with a > port-channel group using LACP"? > >> I am using this patch to provide full-mesh ISCSI connectivity between at >> least 4 hosts (all hosts of course are in same ethernet segment) and every >> host is connected with aggregate link with 4 slaves(usually). >> Using round-robin I provide near-equal load striping when transmitting, >> using MAC address magic I force switch to stripe packets over all slave >> links in destination port-channel(when number of rx-ing slaves is equal to >> number ot tx-ing slaves and is even). > > By "MAC address magic" do you mean that you're assigning > specifically chosen MAC addresses to the slaves so that the switch's > hash is essentially "assigning" the bonding slaves to particular ports > on the outgoing port-channel group? > > Assuming that this is the case, it's an interesting idea, but > I'm unconvinced that it's better on 802.3ad vs. balance-rr. Unless I'm > missing something, you can get everything you need from an option to > have balance-rr / balance-xor utilize the slave's permanent address as > the source address for outgoing traffic. > >> [...] So I am able to utilize all slaves >> for tx and for rx up to maximum capacity; besides I am getting L2 link >> failure detection (and load rebalancing), which is (in my opinion) much >> faster and robust than L3 or than dm-multipath provides. >> It's my idea with the patch > > Can somebody (John?) more knowledgable than I about dm-multipath > comment on the above? Here I'll give it a go. I don't think detecting L2 link failure this way is very robust. If there is a failure farther away then your immediate link your going to break completely? Your bonding hash will continue to round robin the iscsi packets and half them will get dropped on the floor. dm-multipath handles this reasonably gracefully. Also in this bonding environment you seem to be very sensitive to RTT times on the network. Maybe not bad out right but I wouldn't consider this robust either. You could tweak your scsi timeout values and fail_fast values, set the io retry to 0 to cause the fail over to occur faster. I suspect you already did this and still it is too slow? Maybe adding a checker in multipathd to listen for link events would be fast enough. The checker could then fail the path immediately. I'll try to address your comments from the other thread here. In general I wonder if it would be better to solve the problems in dm-multipath rather than add another bonding mode? OVU - it is slow(I am using ISCSI for Oracle , so I need to minimize latency) The dm-multipath layer is adding latency? How much? If this is really true maybe its best to the address the real issue here and not avoid it by using the bonding layer. OVU - it handles any link failures bad, because of it's command queue limitation(all queued commands above 32 are discarded in case of path failure, as I remember) Maybe true but only link failures with the immediate peer are handled with a bonding strategy. By working at the block layer we can detect failures throughout the path. I would need to look into this again I know when we were looking at this sometime ago there was some talk about improving this behavior. I need to take some time to go back through the error recovery stuff to remember how this works. OVU - it performs very bad when there are many devices and maтy paths(I was unable to utilize more that 2Gbps of 4 even with 100 disks with 4 paths per each disk) Hmm well that seems like something is broken. I'll try this setup when I get some time next few days. This really shouldn't be the case dm-multipath should not add a bunch of extra latency or effect throughput significantly. By the way what are you seeing without mpio? Thanks, John -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists