This is the best link on this topic that I have found.
Lots of great pictures. Pictures are worth a thousand words.
https://www.redhat.com/en/blog/introduction-virtio-networking-and-vhost-net
Friday, November 15, 2019
OpenContrail - Part 1
When I came to this shop and found out that they were running OpenStack but were not running Neutron, I about panicked. Especially when I found out they were running OpenContrail.
OpenContrail uses BGP and XMPP as its control plane protocols and route advertisements/exchanges. And it uses MPLS over GRE/UDP to direct packets. The documentation says it CAN use VXLAN - which Neutron also seems to favor (over GRE tunneling). But here at least, it is being run in the way the designed of OpenContrail wanted it to run - which is as an MPLS L3VPN.
I am going to drop some links in here real quick and come back and flush this blog entry out.
Here is an Architectural Guide on OpenContrail. Make sure you have time to digest this.
https://www.juniper.net/us/en/local/pdf/whitepapers/2000535-en.pdf
Once you read the architecture, here is a Gitbook on OpenContrail that can be used to get more familiarity.
https://sureshkvl.gitbooks.io/opencontrail-beginners-tutorial/content/
Perhaps the stash of gold was the location of a 2013 video from one of the developers of vRouter itself. It turns out most of the stuff in this video is still relevant for OpenContrail several years later. I could not find these slides anywhere, so I did make my own slide deck that highlights important discussions that took place on this video, as well as some of the key concepts shown.
https://www.youtube.com/watch?v=xhn7AYvv2Yg
If you read these, you are halfway there. Maybe more than halfway actually.
OpenContrail uses BGP and XMPP as its control plane protocols and route advertisements/exchanges. And it uses MPLS over GRE/UDP to direct packets. The documentation says it CAN use VXLAN - which Neutron also seems to favor (over GRE tunneling). But here at least, it is being run in the way the designed of OpenContrail wanted it to run - which is as an MPLS L3VPN.
I am going to drop some links in here real quick and come back and flush this blog entry out.
Here is an Architectural Guide on OpenContrail. Make sure you have time to digest this.
https://www.juniper.net/us/en/local/pdf/whitepapers/2000535-en.pdf
Once you read the architecture, here is a Gitbook on OpenContrail that can be used to get more familiarity.
https://sureshkvl.gitbooks.io/opencontrail-beginners-tutorial/content/
Perhaps the stash of gold was the location of a 2013 video from one of the developers of vRouter itself. It turns out most of the stuff in this video is still relevant for OpenContrail several years later. I could not find these slides anywhere, so I did make my own slide deck that highlights important discussions that took place on this video, as well as some of the key concepts shown.
https://www.youtube.com/watch?v=xhn7AYvv2Yg
If you read these, you are halfway there. Maybe more than halfway actually.
High Packet Loss in the Tx of TAP Interfaces
I was seeing some bond interfaces that had high dropped counts, but these were all Rx drops.
I noticed that the tap interfaces on OpenStack compute hosts - which were hooked to OpenContrail's vRouter - had drops on the Tx.
So, in trying to understand why we would be dropping packets on Tap interfaces, I did some poking around and found this link.
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/ovs-dpdk_end_to_end_troubleshooting_guide/high_packet_loss_in_the_tx_queue_of_the_instance_s_tap_interface
From this, article, an excerpt:
"TX drops occur because of interference between the instance’s vCPU and other processes on the hypervisor. The TX queue of the tap interface is a buffer that can store packets for a short while in case that the instance cannot pick up the packets. This would happen if the instance’s CPU is prevented from running (or freezes) for a long enough time."
The article goes on and elaborates on diagnosis, and how to fix by adjusting the Tx Queue Length.
SaltStack
I had heard of Puppet. I had heard of Chef. And I knew Ansible quite well because someone I know looked at all three (Puppet, Chef and Ansible) and chose Ansible for our organization.
I had never heard of Salt.
Until now.
Mirantis uses Salt to manage OpenStack infrastructure.
So in having some familiarity with Ansible, it made sense to type into the search engine:
"ansible vs salt'.
Well, sure enough. Someone has done a comparison.
Ansible vs Salt
What I see a number of people doing with Salt, is running remote commands on nodes that they otherwise might not have access to. But - recently, I have started looking more into Salt and it appears to be architected quite similar to Ansible, and is also quite powerful.
One of the features I have recently played around with, is the ability to use "Salt Grains". You can get all kinds of "grains of information" from a host with Salt Grains. In my case, I am calling Salt and telling it to give me all of the grains for all of the hosts in JSON format - and then I parse the json and make a csv spreadsheet. Pretty cool.
There's a lot more. Like Salt States (equivalent to Ansible Modules I think?). There are Salt Pillars.
They use the "salt" theme pretty well in naming all of their extensions.
This link, is called Salt in Ten Minutes. Gives a pretty good overview.
Salt in Ten Minutes
This link, below, is quite handy in figuring out how to target your minions using regular expressions.
https://docs.saltstack.com/en/latest/topics/targeting/globbing.html#regular-expressions
Analyzing Dropped Packets
I recently saw an alert, which created a ticket, for "over 100 dropped packets in 10s".
I thought this was interesting:
- What KIND of packets?
- What if the drops are intentional drops?
- Is 100 dropped packets a LOT?
- How often is this happening?
Lots of questions.
This got me into taking a quick look on a number of different Linux hosts, to see what the drop situation looked like on certain interfaces.
I noticed that most drops on one sample of hosts were Rx packets.
I noticed that drops on most hosts, were Tx packets.
In looking at netstat -s, you can get an amazing picture of exactly why packets are being dropped on a Linux host. It could be related to congestion control, like a socket buffer overrun (applications cannot read fast enough due to high CPU perhaps). Or, it could be dropped because it was supposed to be dropped - maybe there is a checksum error, windowing error, or a packet that should never have arrived in the first place.
One Network Engineer mentioned to me that some packets are dropped due to Packet Cloning, or Packet Redundancy features. These features were enabled so that far-end routers and switches that lost a packet (for one reason or another) close to the destination, didn't have to truck it all the way back to the source for a re-send. But when this feature is used, you can get a lot of dropped packets due to "de-dupping". This could create a false positive. Juniper has a document that describes their Packet Redundancy, or Packet Protection, feature:
Interesting. Worth mentioning, or blogging about. Juniper has a
This link below is also interesting when it comes to finding out how to debug dropped packets.
https://community.pivotal.io/s/article/Network-Troubleshooting-Guide
Here is another interesting link on same topic.
https://jvns.ca/blog/2017/09/05/finding-out-where-packets-are-being-dropped/
This link below is also interesting when it comes to finding out how to debug dropped packets.
https://community.pivotal.io/s/article/Network-Troubleshooting-Guide
Here is another interesting link on same topic.
https://jvns.ca/blog/2017/09/05/finding-out-where-packets-are-being-dropped/
Layer 2 Networking Configuration in Linux
I have not had a tremendous amount of exposure to Layer 2 Networking in Linux, or in general.
The SD-WAN product at my previous startup company has a Layer 2 Gateway that essentially would allow corporations to join LAN segments over a wide area network. So people sitting in an office in, say, Seattle, could be "theoretically" sitting next to some colleagues sitting in an office in, say, Atlanta. All on the same LAN segment. How the product did this is a separate discussions since it involved taking Ethernet Frames, and transporting / tunneling them across the internet (albeit in a very creative and very fast way due to link aggregation, UDP acceleration, multiple channels for delivering the tunneled packets, et al).
I only scratched the surface in terms of understanding the nuances of L2 with this. For example, I learned quite a bit about Bridging (from a Linux perspective). I learned a bit about Spanning Tree Protocol as well, and BPDUS.
I had heard about protocols like LLDP (Link Layer Discovery Protocol), and LACP (Link Aggregation Control Protocol), but since I was not dealing with commercial switches and things, I had no need for enabling, configuring, tuning or analyzing these protocols.
But - I am in an environment now, where these things start to matter a bit more. We run OpenStack hosts that connect to large Juniper switches. These Linux servers are using Link Aggregation and Bonding, and as such, are configured to use LACP to send PDUs to the switches.
LLDP is also enabled. With LLDP, devices advertise their information to directly-connected peers/neighbors. I found a good link that describes how to enable LLDP on Linux.
https://community.mellanox.com/s/article/howto-enable-lldp-on-linux-servers-for-link-discovery
This Juniper document does a pretty good job of discussing LACP.
Understanding LAG and LACP
The SD-WAN product at my previous startup company has a Layer 2 Gateway that essentially would allow corporations to join LAN segments over a wide area network. So people sitting in an office in, say, Seattle, could be "theoretically" sitting next to some colleagues sitting in an office in, say, Atlanta. All on the same LAN segment. How the product did this is a separate discussions since it involved taking Ethernet Frames, and transporting / tunneling them across the internet (albeit in a very creative and very fast way due to link aggregation, UDP acceleration, multiple channels for delivering the tunneled packets, et al).
I only scratched the surface in terms of understanding the nuances of L2 with this. For example, I learned quite a bit about Bridging (from a Linux perspective). I learned a bit about Spanning Tree Protocol as well, and BPDUS.
I had heard about protocols like LLDP (Link Layer Discovery Protocol), and LACP (Link Aggregation Control Protocol), but since I was not dealing with commercial switches and things, I had no need for enabling, configuring, tuning or analyzing these protocols.
But - I am in an environment now, where these things start to matter a bit more. We run OpenStack hosts that connect to large Juniper switches. These Linux servers are using Link Aggregation and Bonding, and as such, are configured to use LACP to send PDUs to the switches.
LLDP is also enabled. With LLDP, devices advertise their information to directly-connected peers/neighbors. I found a good link that describes how to enable LLDP on Linux.
https://community.mellanox.com/s/article/howto-enable-lldp-on-linux-servers-for-link-discovery
This Juniper document does a pretty good job of discussing LACP.
Understanding LAG and LACP
Friday, November 8, 2019
Some handy sed commands for formatting a large concatenated json file
More on Salt later in a separate post, but I am using Salt to pull salt grains from a number of servers so that I can extrapolate out the gain items (in my case, serial number, operating system and so forth).
I ran into an issue where Salt concatenates the json file as a bunch of continguous blocks of json.
When you try to load this into a json parser, it fails.
So in researching how to split this file, I ran into one particularly clever person on the web who said, "don't SPLIT the file! just make it an array of json elements".
I wonder if this guy knew how much wisdom he expelled.
So - I needed some sed to "prepare" this file.
And here it is:
#!/bin/bash
# This script will take the huge json file from Salt and make it something we can parse by
# making each json block an array element.
# Step 1 - add commas between blocks
sed -i 's/^}/},/g' saltgraininfo.json
# Step 2 - remove that last comma out which I could not figure out how to do in Step 1 in same sed command.
sed -i '$s/,//g' saltgraininfo.json
# Step 3 - put a bracket in beginning of the file
sed -i '1s/^/[\n/' saltgraininfo.json
# Step 4 - put a bracket at the end of the file
sed -i '$s/}/}\n]/g' saltgraininfo.json
After I did this, I used Python and did a json.load on the file, and voila'! It loads!
On to the parsing now....
I ran into an issue where Salt concatenates the json file as a bunch of continguous blocks of json.
When you try to load this into a json parser, it fails.
So in researching how to split this file, I ran into one particularly clever person on the web who said, "don't SPLIT the file! just make it an array of json elements".
I wonder if this guy knew how much wisdom he expelled.
So - I needed some sed to "prepare" this file.
And here it is:
#!/bin/bash
# This script will take the huge json file from Salt and make it something we can parse by
# making each json block an array element.
# Step 1 - add commas between blocks
sed -i 's/^}/},/g' saltgraininfo.json
# Step 2 - remove that last comma out which I could not figure out how to do in Step 1 in same sed command.
sed -i '$s/,//g' saltgraininfo.json
# Step 3 - put a bracket in beginning of the file
sed -i '1s/^/[\n/' saltgraininfo.json
# Step 4 - put a bracket at the end of the file
sed -i '$s/}/}\n]/g' saltgraininfo.json
After I did this, I used Python and did a json.load on the file, and voila'! It loads!
On to the parsing now....
Subscribe to:
Posts (Atom)
SLAs using Zabbix in a VMware Environment
Zabbix 7 introduced some better support for SLAs. It also had better support for VMware. VMware, of course now owned by BroadSoft, has prio...
