You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by James Smith <ci...@gmail.com> on 2015/11/01 18:03:27 UTC
Restoring Cloudstack DB with Missing /etc/cloudstack/management/key
I have a cloudstack management instance I'm trying to restore but didn't
back up the /etc/cloudstack/management/key which encrypts given fields in
the db. Having restored it I'm getting jaspyr exceptions due to the key
being different, I'd like to override those with newly necrypted values.
Is this possible? Which fields should I look to replace in particular?
Thanks
James
Re: Re[2]: GRE Isolation Performance
Posted by Remi Bergsma <RB...@schubergphilis.com>.
Hi David,
All I know is that you need NSX-mh (multi hypervisor version) and that works with KVM and xenserver.
The licensing options changed a lot since it became VMware.
Also checkout Nuage, they are actively maintaining and supporting their plugin (whereas the Nicira plugin was made by the community).
Both controllers need to be licensed so that brings in extra costs one way or the other. But they also bring in many new features not possible without SDN.
Regards, Remi
Sent from my iPhone
> On 05 Nov 2015, at 08:25, David Amorín <da...@adderglobal.com> wrote:
>
> Remi,Can you please confirm the cost of Nicira (VMware NSX) aprox.? I saw that they offer a perpetual license per CPU socket $6K each one. Is that correct?
>
>
> http://searchsdn.techtarget.com/news/2240222952/VMware-NSX-price-finally-published-as-channel-starts-selling
>
> DA
>
>
> -----Mensaje original-----
>> De: "Remi Bergsma" <RB...@schubergphilis.com>
>> A: users@cloudstack.apache.org
>> Fecha: 04/11/2015 20:29
>> Asunto: Re: GRE Isolation Performance
>>
>> Hi David,
>>
>> I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
>>
>>
>>
>> Regards,
>> Remi
>>
>>
>>> On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
>>>
>>> Hi all,
>>> We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
>>>
>>>
>>> Can anyone share with us the experience working with GRE isolation?
>>>
>>>
>>> We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
>>>
>>>
>>> Thanks,
>>>
>>>
>>> David
>
Re[2]: GRE Isolation Performance
Posted by David Amorín <da...@adderglobal.com>.
Remi,Can you please confirm the cost of Nicira (VMware NSX) aprox.? I saw that they offer a perpetual license per CPU socket $6K each one. Is that correct?
http://searchsdn.techtarget.com/news/2240222952/VMware-NSX-price-finally-published-as-channel-starts-selling
DA
-----Mensaje original-----
> De: "Remi Bergsma" <RB...@schubergphilis.com>
> A: users@cloudstack.apache.org
> Fecha: 04/11/2015 20:29
> Asunto: Re: GRE Isolation Performance
>
> Hi David,
>
> I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
>
>
>
> Regards,
> Remi
>
>
> On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
>
> >Hi all,
> >We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
> >
> >
> >Can anyone share with us the experience working with GRE isolation?
> >
> >
> >We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
> >
> >
> >Thanks,
> >
> >
> >David
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
Re: Re[4]: GRE Isolation Performance
Posted by Tim Mackey <tm...@gmail.com>.
David,
Cross host private network (CHPN) performance in XenServer will be slower
than VXLAN because traffic in the GRE tunnel is encrypted. At the time
CHPN was implemented in 2010, VXLAN wasn't as well established as it is
today, and we had a requirement of the communication being private. There
were internal performance docs at the time which showed dom0 CPU usage
maxed out with something like 100 tunnels from a host, so I'm not the least
bit surprised with your observations.
In looking at the support for VXLAN in XenServer, I'm of the opinion there
isn't anything which would prevent the existing CS VXLAN implementation for
KVM from being expanded to include XenServer. I however lack the
infrastructure to test this theory.
-tim
On Sun, Nov 15, 2015 at 4:22 PM, David Amorín <da...@adderglobal.com>
wrote:
> Hi Remi,
> I really apprecciate your comments.
>
>
> If i have understood correctly, it is possible to use OVS with STT tunnels
> over CS. Is that correct?
>
>
> David
>
>
> -----Mensaje original-----
> > De: "Remi Bergsma" <RB...@schubergphilis.com>
> > A: users@cloudstack.apache.org
> > Fecha: 05/11/2015 09:52
> > Asunto: Re: Re[2]: GRE Isolation Performance
> >
> > Hi David,
> >
> > STT support was added to mainstream OVS only a few months ago, last
> summer. Before that you had to patch it in.
> >
> > To be honest, in 2012 when we started using this, STT was the only
> option that could use the offloading of the nic. Today, VXLAN also is able
> to do that. For new deployments, that is the way forward as it is widely
> adopted and supported.
> >
> > I never tried VXLAN without a controller, but it is worth investigating.
> For sure Nicira and Nuage support it.
> >
> > We might consider dropping GRE support, but that's more of a subject for
> the dev list. If you have stats/performance details to share, that might
> help showing it is not a real option any more for production deployments.
> >
> > Regards, Remi
> >
> > Sent from my iPhone
> >
> > > On 05 Nov 2015, at 08:19, David Amorín <da...@adderglobal.com>
> wrote:
> > >
> > > It looks VXLAN and STT are currently the best options. If OVS has
> support for STT tunnels, why CS doesn't support this configuration?
> > >
> > > David
> > >
> > >
> > > -----Mensaje original-----
> > >> De: "Remi Bergsma" <RB...@schubergphilis.com>
> > >> A: users@cloudstack.apache.org
> > >> Fecha: 04/11/2015 20:29
> > >> Asunto: Re: GRE Isolation Performance
> > >>
> > >> Hi David,
> > >>
> > >> I haven’t used GRE myself, but I do know that performance wise you
> need something that offloads to the nic, as with vlan tagging (instead of
> having the cpu do all the work). Did you consider VXLAN? That has nic
> offloading support in most nics these days. We are using STT (also does
> offloading) with Nicira and it is very fast. If I had to build again, I’d
> investigate VXLAN.
> > >>
> > >>
> > >>
> > >> Regards,
> > >> Remi
> > >>
> > >>
> > >>> On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com>
> wrote:
> > >>>
> > >>> Hi all,
> > >>> We are working in an environment with CS 4.5.2 / XenServer 6.5 with
> multiple zones (Spain and Netherlands) using GRE Isolation and we have some
> concerns that we would like to share with you. Basically, we make a CPU
> benchmark between VLAN isolation and GRE isolation and the results show us
> that the consumption of CPU with GRE isolation is too much compared with
> VLAN isolation.
> > >>>
> > >>>
> > >>> Can anyone share with us the experience working with GRE isolation?
> > >>>
> > >>>
> > >>> We are not sure if this configuration in production will be safe,
> scalable and with an acceptable level of performance.
> > >>>
> > >>>
> > >>> Thanks,
> > >>>
> > >>>
> > >>> David
> > >
>
>
Re[4]: GRE Isolation Performance
Posted by David Amorín <da...@adderglobal.com>.
Hi Remi,
I really apprecciate your comments.
If i have understood correctly, it is possible to use OVS with STT tunnels over CS. Is that correct?
David
-----Mensaje original-----
> De: "Remi Bergsma" <RB...@schubergphilis.com>
> A: users@cloudstack.apache.org
> Fecha: 05/11/2015 09:52
> Asunto: Re: Re[2]: GRE Isolation Performance
>
> Hi David,
>
> STT support was added to mainstream OVS only a few months ago, last summer. Before that you had to patch it in.
>
> To be honest, in 2012 when we started using this, STT was the only option that could use the offloading of the nic. Today, VXLAN also is able to do that. For new deployments, that is the way forward as it is widely adopted and supported.
>
> I never tried VXLAN without a controller, but it is worth investigating. For sure Nicira and Nuage support it.
>
> We might consider dropping GRE support, but that's more of a subject for the dev list. If you have stats/performance details to share, that might help showing it is not a real option any more for production deployments.
>
> Regards, Remi
>
> Sent from my iPhone
>
> > On 05 Nov 2015, at 08:19, David Amorín <da...@adderglobal.com> wrote:
> >
> > It looks VXLAN and STT are currently the best options. If OVS has support for STT tunnels, why CS doesn't support this configuration?
> >
> > David
> >
> >
> > -----Mensaje original-----
> >> De: "Remi Bergsma" <RB...@schubergphilis.com>
> >> A: users@cloudstack.apache.org
> >> Fecha: 04/11/2015 20:29
> >> Asunto: Re: GRE Isolation Performance
> >>
> >> Hi David,
> >>
> >> I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
> >>
> >>
> >>
> >> Regards,
> >> Remi
> >>
> >>
> >>> On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
> >>>
> >>> Hi all,
> >>> We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
> >>>
> >>>
> >>> Can anyone share with us the experience working with GRE isolation?
> >>>
> >>>
> >>> We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
> >>>
> >>>
> >>> Thanks,
> >>>
> >>>
> >>> David
> >
Re: Re[2]: GRE Isolation Performance
Posted by Remi Bergsma <RB...@schubergphilis.com>.
Hi David,
STT support was added to mainstream OVS only a few months ago, last summer. Before that you had to patch it in.
To be honest, in 2012 when we started using this, STT was the only option that could use the offloading of the nic. Today, VXLAN also is able to do that. For new deployments, that is the way forward as it is widely adopted and supported.
I never tried VXLAN without a controller, but it is worth investigating. For sure Nicira and Nuage support it.
We might consider dropping GRE support, but that's more of a subject for the dev list. If you have stats/performance details to share, that might help showing it is not a real option any more for production deployments.
Regards, Remi
Sent from my iPhone
> On 05 Nov 2015, at 08:19, David Amorín <da...@adderglobal.com> wrote:
>
> It looks VXLAN and STT are currently the best options. If OVS has support for STT tunnels, why CS doesn't support this configuration?
>
> David
>
>
> -----Mensaje original-----
>> De: "Remi Bergsma" <RB...@schubergphilis.com>
>> A: users@cloudstack.apache.org
>> Fecha: 04/11/2015 20:29
>> Asunto: Re: GRE Isolation Performance
>>
>> Hi David,
>>
>> I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
>>
>>
>>
>> Regards,
>> Remi
>>
>>
>>> On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
>>>
>>> Hi all,
>>> We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
>>>
>>>
>>> Can anyone share with us the experience working with GRE isolation?
>>>
>>>
>>> We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
>>>
>>>
>>> Thanks,
>>>
>>>
>>> David
>
Re[2]: GRE Isolation Performance
Posted by David Amorín <da...@adderglobal.com>.
It looks VXLAN and STT are currently the best options. If OVS has support for STT tunnels, why CS doesn't support this configuration?
David
-----Mensaje original-----
> De: "Remi Bergsma" <RB...@schubergphilis.com>
> A: users@cloudstack.apache.org
> Fecha: 04/11/2015 20:29
> Asunto: Re: GRE Isolation Performance
>
> Hi David,
>
> I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
>
>
>
> Regards,
> Remi
>
>
> On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
>
> >Hi all,
> >We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
> >
> >
> >Can anyone share with us the experience working with GRE isolation?
> >
> >
> >We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
> >
> >
> >Thanks,
> >
> >
> >David
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
Re: GRE Isolation Performance
Posted by Simon Weller <sw...@ena.com>.
VXLAN is very fast. We've been testing it in our lab for our next gen platform. Note that the VXLAN implementation in CloudStack today was built with KVM support only and uses the native linux VXLAN support (with multicast).
As Remi pointed out, other options for you include Nicira (VMware NSX MH) and we've also been investigating Nuage (uses VXLAN and MPLS over GRE under the covers).
- Si
________________________________________
From: Remi Bergsma <RB...@schubergphilis.com>
Sent: Wednesday, November 4, 2015 1:22 PM
To: users@cloudstack.apache.org
Subject: Re: GRE Isolation Performance
Hi David,
I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
Regards,
Remi
On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
>Hi all,
>We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
>
>
>Can anyone share with us the experience working with GRE isolation?
>
>
>We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
>
>
>Thanks,
>
>
>David
>
>
>
>
>
>
>
>
>
>
>
Re: GRE Isolation Performance
Posted by Remi Bergsma <RB...@schubergphilis.com>.
Hi David,
I haven’t used GRE myself, but I do know that performance wise you need something that offloads to the nic, as with vlan tagging (instead of having the cpu do all the work). Did you consider VXLAN? That has nic offloading support in most nics these days. We are using STT (also does offloading) with Nicira and it is very fast. If I had to build again, I’d investigate VXLAN.
Regards,
Remi
On 04/11/15 12:31, "David Amorín" <da...@adderglobal.com> wrote:
>Hi all,
>We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
>
>
>Can anyone share with us the experience working with GRE isolation?
>
>
>We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
>
>
>Thanks,
>
>
>David
>
>
>
>
>
>
>
>
>
>
>
GRE Isolation Performance
Posted by David Amorín <da...@adderglobal.com>.
Hi all,
We are working in an environment with CS 4.5.2 / XenServer 6.5 with multiple zones (Spain and Netherlands) using GRE Isolation and we have some concerns that we would like to share with you. Basically, we make a CPU benchmark between VLAN isolation and GRE isolation and the results show us that the consumption of CPU with GRE isolation is too much compared with VLAN isolation.
Can anyone share with us the experience working with GRE isolation?
We are not sure if this configuration in production will be safe, scalable and with an acceptable level of performance.
Thanks,
David
Re: External VPN
Posted by Erik Weber <te...@gmail.com>.
Depends on how you want to use it / how much integration you want.
You could configure a shared network and set up the VPN routes on the
router, or add it manually to guest vms.
Another aproach is to configure a VPC, and add it via the private gateway
feature.
--
Erik
On Wed, Nov 4, 2015 at 12:39 PM, David Amorín <da...@adderglobal.com>
wrote:
> Hi,
> Could be possible to use an external device with CS for VPN service?
>
>
> Thanks
>
>
> David
>
>
External VPN
Posted by David Amorín <da...@adderglobal.com>.
Hi,
Could be possible to use an external device with CS for VPN service?
Thanks
David
EIP - Advanced Network and VPC
Posted by David Amorín <da...@adderglobal.com>.
Hi all,
I was wondering if it is possible to implement EIP (Elastic IP) with VPC or Advanced zones
Thanks for your help
David
RE: Restoring Cloudstack DB with Missing
/etc/cloudstack/management/key
Posted by Somesh Naidu <So...@citrix.com>.
That should be possible. It is not perfectly clear which key is out of sync, but if you are looking to replace the mgmt secret key located in /etc/cloudstack/management/key then you only need to replace the new value for property " db.cloud.encrypt.secret" in /etc/cloudstack/management/db.properties.
Regards,
Somesh
-----Original Message-----
From: James Smith [mailto:ciscovillan1234@gmail.com]
Sent: Sunday, November 01, 2015 12:03 PM
To: users@cloudstack.apache.org
Subject: Restoring Cloudstack DB with Missing /etc/cloudstack/management/key
I have a cloudstack management instance I'm trying to restore but didn't
back up the /etc/cloudstack/management/key which encrypts given fields in
the db. Having restored it I'm getting jaspyr exceptions due to the key
being different, I'd like to override those with newly necrypted values.
Is this possible? Which fields should I look to replace in particular?
Thanks
James