Bug 1399234

Summary: [RFE] Add support for DSCP marking with VXLAN encapsulation
Product: Red Hat OpenStack Reporter: Luis Tomas Bolivar <ltomasbo>
Component: openstack-neutronAssignee: Assaf Muller <amuller>
Status: CLOSED DUPLICATE QA Contact: Toni Freger <tfreger>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: akarlsso, ali.sanhaji, aloughla, amuller, apevec, atragler, brault, chrisw, dhill, fherrman, gideon.agmon, jjung, jlibosva, jraju, lpeer, ltomasbo, mleitner, nyechiel, ragiman, rhos-maint, sputhenp, srevivo, sukulkar, tmmorin.orange, trozet
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://bugs.launchpad.net/neutron/+bug/1692951
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2053695 (view as bug list) Environment:
Last Closed: 2018-03-18 00:02:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1476900, 2053695, 2071095, 2071096    

Description Luis Tomas Bolivar 2016-11-28 15:29:36 UTC 
Description of problem:
Currently, the QoS DSCP mark implementation only works for provider networks, and VLAN and flat networks. However, if overlays (GRE, VXLAN) are to be used, the DSCP mark will only be applied in the inner IP header and not in the outer (GRE, VXLAN) one.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
DSCP marking not in outer header, and therefore, not supported for GRE/VXLAN overlays

Expected results:
Copy the DSCP mark from the inner to the outer IP header for GRE/VXLAN overlay networks

Additional info:
Comment 5 ali.sanhaji 2017-03-31 12:41:18 UTC 
1. To copy the DSCP mark:

Indeed, the DSCP mark implementation in the neutron QoS extension marks the packets coming out of the VM before encapsulation in VxLAN or GRE tunnels. The OVS implementation uses OVS flows in br-int to set the DSCP field of incoming packets (VM to network). The linuxbridge implementation uses iptables to mark the packets coming from the device connecting the VMs to the bridge.

When the packet is encapsulated, the DSCP field is not automatically copied from the inner header to the outer header. To do so, the solution in OVS is to set the tunnel interfaces (VxLAN or GRE) with the right option:

ovs-vsctl set interface vxlan-xxxxxxxx options:tos=inherit

The TOS field is comprised of the DSCP field and the ECN field. The ECN field is automatically copied as the RFC 6040 is implemented in the Linux kernel since version 3.13 at least. Setting the TOS field to "inherit" means that the value of the DSCP field of the inner header will be copied to the outer header.

The inherit option can be set from the neutron QoS extension code by updating the OVS tunnel ports (in br-tun) in all computes, or it can be done at the creation of the tunnel ports by the neutron OVS agent.

In linuxbridge, the VxLAN ports cannot be set to inherit, they can only be set to a specific value at the creation of the VxLAN tunnel port. This specific value can be set in the ml2_conf.ini configuration file, when using linuxbridge as a driver, in the section [VXLAN] by adding tos=value. The problem is that we cannot specify a DSCP mark per tenant as all tenants using this tunnel will have the same DSCP.

2. To have different DSCP marks in inner and outer header:

To extend further the problem of DSCP marking, we may want to have different values in the inner header and the outer header, rather than copy it, so that the underlay network using the outer header can make its own decisions based the outer DSCP value without being tied to the inner DSCP value.

In OVS, the elegant solution to set the outer DSCP mark would be to do this:

ovs-vsctl set interface vxlan-xxxxxxxx options:tos=flow

and manage all the tenant outer DSCP marks with flows in br-tun. But this is not implemented in OVS. So the big workaround would be to create a tunnel port with a specific TOS value for every DSCP mark we would need, and switch each tenant traffic to the corresponding port/DSCP mark. But OVS doesn't allow to have multiple ports with the same source and destination IP addresses and distinct TOS values.

A better solution I tested uses iptables with the MARK target. The idea is to set the packets coming out of a tenant VM with a specific MARK value with iptables (which sets the "mark" field in sk_buff structure associated to the packet). This value persists after encapsulation in VxLAN tunnels, so we can match this value with iptables to set the DSCP in the corresponding outer header.

This solution works using linuxbridge. We only need to see if their are no interference with other MARK values used in neutron. And also see how it works with namespaces as it seems that the MARK value is cleared when the packet is sent to another namespace (in skb_scrub_packet() in Linux kernel).

OVS also allows to use the sk_buff mark field with bridge flows, it can be modified with set_field:value->pkt_mark. This works between OVS bridges (we can match it with pkt_mark=value), but I noticed that the value does not persist after the packet exits the OVS tunnel ports (e.g., vxlan port in br-tun). So we cannot match it afterwards with iptables to mark the DSCP field on the outer header as with linuxbridge.

It seems that even if we mark the VM packets with a specific value using iptables (MARK target) before the packet enters the OVS bridges, the mark value cannot be used in the OVS flows, as if the mark value was cleared before entering OVS. We are still investigating why the mark value is cleared and cannot be used between iptables and OVS (maybe skb_scrub_packet() is called before entering or leaving OVS ports).

Nevertheless, the use of the mark field can be a solution to set the DSCP field of the outer header with a specific value per tenant.
Comment 7 ali.sanhaji 2017-04-27 13:03:11 UTC 
After few verifications and tests with OVS, the mark field of sk_buff is indeed zeroed by skb_scrub_packet, but before entering OVS. When the mark is set with iptables at the egress of the VM (tap) in the PREROUTING chain, the value is cleared when the packet gets through the veth connected to br-int (qvb/qvo pair). But when the mark is set through flows with set_field:value->pkt_mark, the value can be used after VxLAN encapsulation to set the good DSCP mark in the outer header through iptables in the OUTPUT chain.

So we have a solution to set the DSCP of the outer header in both linuxbridge and OVS using the mark field.
Comment 9 ali.sanhaji 2017-05-23 15:47:52 UTC 
I filed a RFE in the neutron launchpad concerning this issue: https://bugs.launchpad.net/neutron/+bug/1692951
Comment 10 Bertrand 2017-06-23 09:29:45 UTC 
Adding a note to mention that this was discussed during neutron_qos meeting[1]

[1] http://eavesdrop.openstack.org/meetings/neutron_qos/2017/neutron_qos.2017-06-20-15.00.log.html
Comment 11 Nir Yechiel 2017-10-18 07:01:00 UTC 
We have reviewed this feature request and we won't be able to prioritize it for RHOSP 13 due to other priorities.
Comment 12 Thomas Morin (tmorin) 2017-10-18 12:41:16 UTC 
For the sake of completeness: step 1 (as described in comment #5) is being implemented ( https://review.openstack.org/#/c/501267 ), but an implementation of Step 2 and of an API to control these mappings, are not yet planned.
Comment 14 Nir Yechiel 2018-03-18 00:02:10 UTC 
We decided to implement this feature with ODL, see BZ 1550668.

*** This bug has been marked as a duplicate of bug 1550668 ***