SlideShare a Scribd company logo

Baker: Scaling OVN with Kubernetes API Server

Han Zhou, profile picture
Han Zhou

This document discusses using Kubernetes API server framework (Baker) to scale out OVN control plane. It aims to distribute OVN northd and central OVSDB cluster. Challenges include lack of clustering in OVSDB SB and distributed state management. Baker proposes distributed northd, scale-out central cluster backed by ETCD, and distributed agents to watch local objects. This would address connectivity issues in large cloud deployments. The document also discusses addressing segmentation vs connectivity, using ACLs and address sets for L3 segmentation, and evaluating port security and ACL processing on each hypervisor.

Technology
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Baker: Scaling OVN with Kubernetes API Server Han Zhou OpenStack Summit Boston 2017
Why OVN? OVS is GREAT. OVN makes it GREATER! 2
OVN Challenges ● OVN is distributed, but not fully … ○ Can we distributed Northd? 3 Northd NB SB OVN-Controller OVS HV HV … Central OVSDB HV
OVN Challenges ● OVSDB SB ○ No clustering (yet) 4 Northd NB SB OVN-Controller OVS HV HV … Central OVSDB HV It is nothing but distributed state management ...
Scale-out with Baker ● Distributed northd ○ Computes lflows for local only ● Scale-out central cluster ○ K8S API server framework ○ Backed by ETCD ○ Clustering ● Distributed agents ○ Watch for local objects only ○ Translate objects to NB DB 5 Northd NB SB OVN-Controller OVSHV Central ETCD ETCD ETCDBaker API server Baker API server Baker API server Baker Agent HV … HV RESTful API
One more thing ... 6 â—Ź Northd and ovn-controller are all distributed â—Ź They process data related to local HV only But what does this mean?
In terms of overlay ... 7 ● Logical-to-physical mapping states (port-binding) for connectivity ● Doesn’t scale when everyone talks to everyone else in a *large* zone ○ Maybe not the case for public cloud, or small-to-medium enterprise cloud. ○ But it is typical use case for eBay’s private cloud.
Are we solving the right problem? 8 â—Ź Connectivity v.s. Segmentation â—Ź L2 Segmentation v.s. L3 segmentation â—Ź Address sets (L3) based segmentation â—‹ ACL: default deny, whitelist access â—‹ IPAM: â–  Use ip efficiently â–  Summarized CIDRs to reduce address set size
Flat network 9 ● Reuse OVN abstraction and pipeline ○ Port security ○ ARP proxy ○ ACL ○ LB ○ … ○ But NOT overlay ● Use localnet port to connect to physical network directly ● Data to be processed by each HV depends on size of AddressSet used by ACLs that apply to ports on the HV
Baker Object Model â—Ź Similar as OVN NB Schema â—‹ Logical Port â–  Addresses â–  Port security â—‹ ACL â—‹ Address Set â—‹ Load balancer (TBD) â—‹ ... â—Ź Differences â—‹ No Logical Switch (local) â—‹ Port-SecGroup binding â—‹ ACL: SecGroup instead of individual ports in inport/outport 10
Neutron Plugin â—Ź Support security group, with API extensions â—‹ Address set - support external IPs from legacy systems â—‹ Security group rule packet logging 11
Scalability - Control plane throughput 12 â—Ź Test â—‹ E2E: Neutron - Baker - OVS â—‹ Simulated 1k HVs on 10 BMs â–  OVS/OVN 2.7 â—‹ 1 node Neutron + mysql â—‹ 1 node Baker API server + ETCD â–  K8s 1.6 pre-release, etcd 3.0 â—Ź Result for single client (parallel test TBD) â—‹ Result impacted by SG (address set) size â—‹ ~3 ports/sec for SG size 1K
Scalability - Latency 13 â—Ź Test â—‹ E2E from Neutron to OVS flow installation for the port created â–  Create port from neutron, bind port in ovs on HV â–  Wait: â—Ź ovn-nbctl wait-until Logical_Switch_Port <port> up=true â—Ź ovn-nbctl --wait=hv sync â—‹ Create ports on top of existing 10K ports, 1K HVs, SG size 1K â—‹ 10K * 3 (flows/ACL) = 30K flows / ovs port â—Ź Result â—‹ Avg 2 sec
Improvement - ovn-controller 14 â—Ź Flow computation blocks flow installation â—Ź Improvement: avoid repeated computation when in-flight messages to OVS pending â—Ź Test result (SG size 10k, flow installation for 10 ports on HV): â—‹ 10k * 3 * 10 = 300k OVS flows â—‹ Before: 50 min â—‹ After: 16 sec
Other Lessons learned 15 ● Postpone ACL expanding from Neutron to HV ○ Introduce port-group binding object in Baker ○ Use port-group instead of lport in “inport/outport” in ACL ○ Baker agent expand ACL on HV for local lports only ○ Benefit: ■ Reduced Neutron overhead ■ Reduced API calls from Neutron to Baker ■ Reduced data size in Baker
Other Lessons learned 16 â—Ź Baker RESTful API: use Protobuf instead of JSON-RPC â—‹ 10 - 20 % throughput increase for SG size 1k - 10k â—‹ Lower CPU cost on API-server
Thanks! Q & A

More Related Content

PPTX
OVN Controller Incremental Processing
Han Zhou
 
PDF
Large scale overlay networks with ovn: problems and solutions
Han Zhou
 
PPTX
OVN operationalization at scale at eBay
Aliasgar Ginwala
 
PDF
QNIBTerminal: Understand your datacenter by overlaying multiple information l...
QNIB Solutions
 
PDF
Kraken mesoscon 2018
joeyzhang1989928
 
PPTX
Rocks db state store in structured streaming
Balaji Mohanam
 
PDF
Inter-process communication on steroids
Roberto Agostino Vitillo
 
PDF
Scylla Summit 2022: The Future of Consensus in ScyllaDB 5.0 and Beyond
ScyllaDB
 
OVN Controller Incremental Processing
Han Zhou
 
Large scale overlay networks with ovn: problems and solutions
Han Zhou
 
OVN operationalization at scale at eBay
Aliasgar Ginwala
 
QNIBTerminal: Understand your datacenter by overlaying multiple information l...
QNIB Solutions
 
Kraken mesoscon 2018
joeyzhang1989928
 
Rocks db state store in structured streaming
Balaji Mohanam
 
Inter-process communication on steroids
Roberto Agostino Vitillo
 
Scylla Summit 2022: The Future of Consensus in ScyllaDB 5.0 and Beyond
ScyllaDB
 

What's hot (20)

PDF
BKK16-203 Irq prediction or how to better estimate idle time
Linaro
 
PDF
20160401 guster-roadmap
Gluster.org
 
PDF
M|18 Deep Dive: InnoDB Transactions and Write Paths
MariaDB plc
 
PDF
HBaseCon2017 Transactions in HBase
HBaseCon
 
PDF
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
Yiran Wang
 
PDF
Tungsten University: Introduction to Continuent Tungsten 2.0
Continuent
 
PDF
OSDC 2013 | Distributed Storage with GlusterFS by Dr. Udo Seidel
NETWAYS
 
PDF
Gluster for sysadmins
Gluster.org
 
PDF
CRuby Committers Who's Who in 2013
nagachika t
 
PDF
Ceph Block Devices: A Deep Dive
joshdurgin
 
PDF
Live migration: pros, cons and gotchas -- Pavel Emelyanov
OpenVZ
 
PDF
Simon
AFRINIC
 
PPTX
M|18 Battle of the Online Schema Change Methods
MariaDB plc
 
PDF
Flink Forward Berlin 2017: Tzu-Li (Gordon) Tai - Managing State in Apache Flink
Flink Forward
 
PDF
Cloud storage: the right way OSS EU 2018
Orit Wasserman
 
PDF
New bare-metal provisioning setup built around Collins
leboncoin engineering
 
PDF
hbaseconasia2017: HBase Practice At XiaoMi
HBaseCon
 
PDF
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fluence Labs
 
PDF
Couchbase live 2016
Pierre Mavro
 
PDF
A day in the life of a log message
Josef Karásek
 
BKK16-203 Irq prediction or how to better estimate idle time
Linaro
 
20160401 guster-roadmap
Gluster.org
 
M|18 Deep Dive: InnoDB Transactions and Write Paths
MariaDB plc
 
HBaseCon2017 Transactions in HBase
HBaseCon
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
Yiran Wang
 
Tungsten University: Introduction to Continuent Tungsten 2.0
Continuent
 
OSDC 2013 | Distributed Storage with GlusterFS by Dr. Udo Seidel
NETWAYS
 
Gluster for sysadmins
Gluster.org
 
CRuby Committers Who's Who in 2013
nagachika t
 
Ceph Block Devices: A Deep Dive
joshdurgin
 
Live migration: pros, cons and gotchas -- Pavel Emelyanov
OpenVZ
 
Simon
AFRINIC
 
M|18 Battle of the Online Schema Change Methods
MariaDB plc
 
Flink Forward Berlin 2017: Tzu-Li (Gordon) Tai - Managing State in Apache Flink
Flink Forward
 
Cloud storage: the right way OSS EU 2018
Orit Wasserman
 
New bare-metal provisioning setup built around Collins
leboncoin engineering
 
hbaseconasia2017: HBase Practice At XiaoMi
HBaseCon
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fluence Labs
 
Couchbase live 2016
Pierre Mavro
 
A day in the life of a log message
Josef Karásek
 
Ad

Similar to Baker: Scaling OVN with Kubernetes API Server (20)

PPTX
OVN DBs HA with scale test
Aliasgar Ginwala
 
PPTX
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
James Denton
 
PDF
Kubernetes from scratch at veepee sysadmins days 2019
🔧 Loïc BLOT
 
PPTX
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kevin Lynch
 
PDF
Open Source Backends for OpenStack Neutron
mestery
 
PDF
Ovn vancouver
Mason Mei
 
PDF
OpenDaylight OpenStack Integration
LinuxCon ContainerCon CloudOpen China
 
PPTX
OVN - Basics and deep dive
Trinath Somanchi
 
PDF
Distributed routing
Murali Reddy
 
PPTX
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kevin Lynch
 
PDF
LF_OVS_17_State of the OVN
LF_OpenvSwitch
 
PDF
Hyperconverged Cloud, Not just a toy anymore - Andrew Hatfield, Red Hat
OpenStack
 
PDF
WSO2 Kubernetes Reference Architecture - Nov 2017
Imesh Gunaratne
 
PDF
hbaseconasia2017: hbase-2.0.0
HBaseCon
 
PDF
Moving from CellsV1 to CellsV2 at CERN
Belmiro Moreira
 
PDF
HKG15-301: OVS implemented via ODP & vendor SDKs
Linaro
 
PPTX
Taking Cloud to Extremes: Scaled-down, Highly Available, and Mission-critical...
Altoros
 
PPTX
OpenEBS hangout #4
OpenEBS
 
PDF
Open vSwitch for networking solution for L2
HaseebAhmed360060
 
PDF
Automating auto-scaled load balancer based on linux and vm orchestrator
Andrew Yongjoon Kong
 
OVN DBs HA with scale test
Aliasgar Ginwala
 
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
James Denton
 
Kubernetes from scratch at veepee sysadmins days 2019
🔧 Loïc BLOT
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kevin Lynch
 
Open Source Backends for OpenStack Neutron
mestery
 
Ovn vancouver
Mason Mei
 
OpenDaylight OpenStack Integration
LinuxCon ContainerCon CloudOpen China
 
OVN - Basics and deep dive
Trinath Somanchi
 
Distributed routing
Murali Reddy
 
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kevin Lynch
 
LF_OVS_17_State of the OVN
LF_OpenvSwitch
 
Hyperconverged Cloud, Not just a toy anymore - Andrew Hatfield, Red Hat
OpenStack
 
WSO2 Kubernetes Reference Architecture - Nov 2017
Imesh Gunaratne
 
hbaseconasia2017: hbase-2.0.0
HBaseCon
 
Moving from CellsV1 to CellsV2 at CERN
Belmiro Moreira
 
HKG15-301: OVS implemented via ODP & vendor SDKs
Linaro
 
Taking Cloud to Extremes: Scaled-down, Highly Available, and Mission-critical...
Altoros
 
OpenEBS hangout #4
OpenEBS
 
Open vSwitch for networking solution for L2
HaseebAhmed360060
 
Automating auto-scaled load balancer based on linux and vm orchestrator
Andrew Yongjoon Kong
 
Ad

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation theory and applications.pdf
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

Baker: Scaling OVN with Kubernetes API Server

  • 1. Baker: Scaling OVN with Kubernetes API Server Han Zhou OpenStack Summit Boston 2017
  • 2. Why OVN? OVS is GREAT. OVN makes it GREATER! 2
  • 3. OVN Challenges â—Ź OVN is distributed, but not fully … â—‹ Can we distributed Northd? 3 Northd NB SB OVN-Controller OVS HV HV … Central OVSDB HV
  • 4. OVN Challenges â—Ź OVSDB SB â—‹ No clustering (yet) 4 Northd NB SB OVN-Controller OVS HV HV … Central OVSDB HV It is nothing but distributed state management ...
  • 5. Scale-out with Baker â—Ź Distributed northd â—‹ Computes lflows for local only â—Ź Scale-out central cluster â—‹ K8S API server framework â—‹ Backed by ETCD â—‹ Clustering â—Ź Distributed agents â—‹ Watch for local objects only â—‹ Translate objects to NB DB 5 Northd NB SB OVN-Controller OVSHV Central ETCD ETCD ETCDBaker API server Baker API server Baker API server Baker Agent HV … HV RESTful API
  • 6. One more thing ... 6 â—Ź Northd and ovn-controller are all distributed â—Ź They process data related to local HV only But what does this mean?
  • 7. In terms of overlay ... 7 â—Ź Logical-to-physical mapping states (port-binding) for connectivity â—Ź Doesn’t scale when everyone talks to everyone else in a *large* zone â—‹ Maybe not the case for public cloud, or small-to-medium enterprise cloud. â—‹ But it is typical use case for eBay’s private cloud.
  • 8. Are we solving the right problem? 8 â—Ź Connectivity v.s. Segmentation â—Ź L2 Segmentation v.s. L3 segmentation â—Ź Address sets (L3) based segmentation â—‹ ACL: default deny, whitelist access â—‹ IPAM: â–  Use ip efficiently â–  Summarized CIDRs to reduce address set size
  • 9. Flat network 9 â—Ź Reuse OVN abstraction and pipeline â—‹ Port security â—‹ ARP proxy â—‹ ACL â—‹ LB â—‹ … â—‹ But NOT overlay â—Ź Use localnet port to connect to physical network directly â—Ź Data to be processed by each HV depends on size of AddressSet used by ACLs that apply to ports on the HV
  • 10. Baker Object Model â—Ź Similar as OVN NB Schema â—‹ Logical Port â–  Addresses â–  Port security â—‹ ACL â—‹ Address Set â—‹ Load balancer (TBD) â—‹ ... â—Ź Differences â—‹ No Logical Switch (local) â—‹ Port-SecGroup binding â—‹ ACL: SecGroup instead of individual ports in inport/outport 10
  • 11. Neutron Plugin â—Ź Support security group, with API extensions â—‹ Address set - support external IPs from legacy systems â—‹ Security group rule packet logging 11
  • 12. Scalability - Control plane throughput 12 â—Ź Test â—‹ E2E: Neutron - Baker - OVS â—‹ Simulated 1k HVs on 10 BMs â–  OVS/OVN 2.7 â—‹ 1 node Neutron + mysql â—‹ 1 node Baker API server + ETCD â–  K8s 1.6 pre-release, etcd 3.0 â—Ź Result for single client (parallel test TBD) â—‹ Result impacted by SG (address set) size â—‹ ~3 ports/sec for SG size 1K
  • 13. Scalability - Latency 13 â—Ź Test â—‹ E2E from Neutron to OVS flow installation for the port created â–  Create port from neutron, bind port in ovs on HV â–  Wait: â—Ź ovn-nbctl wait-until Logical_Switch_Port <port> up=true â—Ź ovn-nbctl --wait=hv sync â—‹ Create ports on top of existing 10K ports, 1K HVs, SG size 1K â—‹ 10K * 3 (flows/ACL) = 30K flows / ovs port â—Ź Result â—‹ Avg 2 sec
  • 14. Improvement - ovn-controller 14 â—Ź Flow computation blocks flow installation â—Ź Improvement: avoid repeated computation when in-flight messages to OVS pending â—Ź Test result (SG size 10k, flow installation for 10 ports on HV): â—‹ 10k * 3 * 10 = 300k OVS flows â—‹ Before: 50 min â—‹ After: 16 sec
  • 15. Other Lessons learned 15 â—Ź Postpone ACL expanding from Neutron to HV â—‹ Introduce port-group binding object in Baker â—‹ Use port-group instead of lport in “inport/outport” in ACL â—‹ Baker agent expand ACL on HV for local lports only â—‹ Benefit: â–  Reduced Neutron overhead â–  Reduced API calls from Neutron to Baker â–  Reduced data size in Baker
  • 16. Other Lessons learned 16 â—Ź Baker RESTful API: use Protobuf instead of JSON-RPC â—‹ 10 - 20 % throughput increase for SG size 1k - 10k â—‹ Lower CPU cost on API-server