Red Hat SummitChapter 4. Using Quality of Service (QoS) policies to manage data traffic
You can offer varying service levels for VM instances by using quality of service (QoS) policies to apply rate limits to egress and ingress traffic on Red Hat OpenStack Platform (RHOSP) networks.
You can apply QoS policies to individual ports, or apply QoS policies to a project network, where ports with no specific policy attached inherit the policy.
Internal network owned ports, such as DHCP and internal router ports, are excluded from network policy application.
You can apply, modify, or remove QoS policies dynamically. However, for guaranteed minimum bandwidth QoS policies, you can only apply modifications when there are no instances that use any of the ports the policy is assigned to.
4.1. Controlling minimum bandwidth by using QoS policies
For the Red Hat OpenStack Services on OpenShift (RHOSO) Networking service (neutron), a guaranteed minimum bandwidth QoS rule can be enforced in two distinct contexts: Networking service back-end enforcement and resource allocation scheduling enforcement.
The network back end, ML2/OVN or ML2/SR-IOV, attempts to guarantee that each port on which the rule is applied has no less than the specified network bandwidth.
When you use resource allocation scheduling bandwidth enforcement, the Compute service (nova) only places VM instances on hosts that support the minimum bandwidth.
You can apply QoS minimum bandwidth rules using Networking service back-end enforcement, resource allocation scheduling enforcement, or both.
The following table identifies the Modular Layer 2 (ML2) mechanism drivers that support minimum bandwidth QoS policies:
| ML2 mechanism driver | Agent | VNIC types |
|---|---|---|
| ML2/OVN | (Not applicable) | normal |
| ML2/SR-IOV |
| direct |
4.1.1. Using Networking service back-end enforcement to enforce minimum bandwidth
You can guarantee a minimum bandwidth for network traffic for ports by applying Red Hat OpenStack Services on OpenShift (RHOSO) quality of service (QoS) policies to the ports. These ports must be backed by a flat or VLAN physical network.
Currently, the Modular Layer 2 plug-in with the Open Virtual Network mechanism driver (ML2/OVN) does not support minimum bandwidth QoS rules.
Prerequisites
-
Your administrator has enabled the Networking service with the
qosservice plug-in. (The plug-in is loaded by default.) -
The administrator has created a project for you and has provided you with a
clouds.yamlfile for you to access the cloud. The
python-openstackclientpackage resides on your workstation.$ dnf list installed python-openstackclientDo not mix ports with and without bandwidth guarantees on the same physical interface, because this might cause denial of necessary resources (starvation) to the ports without a guarantee.
TipCreate host aggregates to separate ports with bandwidth guarantees from those ports without bandwidth guarantees.
Procedure
Confirm that the system
OS_CLOUDvariable is set for your cloud:$ echo $OS_CLOUD my_cloudReset the variable if necessary:
$ export OS_CLOUD=my_other_cloudAs an alternative, you can specify the cloud name by adding the
--os-cloud <cloud_name>option each time you run anopenstackcommand.Confirm that the
qosservice plug-in is loaded in the Networking service:$ openstack network qos policy listIf the
qosservice plug-in is not loaded, then you receive aResourceNotFounderror, and you must load theqosservices plug-in before you can continue. For more information, see your RHOSO administrator.Identify the ID of the project you want to create the QoS policy for:
$ openstack project list- Sample output
+----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors | | 519e6344f82e4c079c8e2eabb690023b | services | | 80bf5732752a41128e612fe615c886c6 | demo | | 98a2f53c20ce4d50a40dac4a38016c69 | admin | +----------------------------------+----------+
Using the project ID from the previous step, create a QoS policy for the project.
- Example
In this example, a QoS policy named
guaranteed_min_bwis created for theadminproject:$ openstack network qos policy create --share \ --project 98a2f53c20ce4d50a40dac4a38016c69 guaranteed_min_bw
Configure the rules for the policy.
- Example
In this example, QoS rules for ingress and egress with a minimum bandwidth of
40000000kbps are created for the policy namedguaranteed_min_bw:$ openstack network qos rule create \ --type minimum-bandwidth --min-kbps 40000000 \ --ingress guaranteed_min_bw $ openstack network qos rule create \ --type minimum-bandwidth --min-kbps 40000000 \ --egress guaranteed_min_bw
Configure a port to apply the policy to.
- Example
In this example, the
guaranteed_min_bwpolicy is applied to port ID,56x9aiw1-2v74-144x-c2q8-ed8w423a6s12:$ openstack port set --qos-policy guaranteed_min_bw \ 56x9aiw1-2v74-144x-c2q8-ed8w423a6s12
Verification
ML2/SR-IOV
Using root access, log in to the Compute node, and show the details of the virtual functions that are held in the physical function.
- Example
# ip -details link show enp4s0f1- Sample output
50: enp4s0f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 9000 qdisc mq master mx-bond state UP mode DEFAULT group default qlen 1000 link/ether 98:03:9b:9d:73:74 brd ff:ff:ff:ff:ff:ff permaddr 98:03:9b:9d:73:75 promiscuity 0 minmtu 68 maxmtu 9978 bond_slave state BACKUP mii_status UP link_failure_count 0 perm_hwaddr 98:03:9b:9d:73:75 queue_id 0 addrgenmode eui64 numtxqueues 320 numrxqueues 40 gso_max_size 65536 gso_max_segs 65535 portname p1 switchid 74739d00039b0398 vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 1 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 2 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 3 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 4 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 5 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 6 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 7 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off vf 8 link/ether fa:16:3e:2a:d2:7f brd ff:ff:ff:ff:ff:ff, tx rate 999 (Mbps), max_tx_rate 999Mbps, spoof checking off, link-state disable, trust off, query_rss off vf 9 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking off, link-state disable, trust off, query_rss off
4.1.2. Scheduling instances by using minimum bandwidth QoS policies
You can apply a minimum bandwidth QoS policy to a port to guarantee that the host on which its Red Hat OpenStack Services on OpenShift (RHOSO) VM instance is spawned has a minimum network bandwidth.
Prerequisites
-
Your administrator has enabled the Networking service with the
qosand theplacementservice plug-ins. Theqosservice plug-in is loaded by default. -
The administrator has created a project for you and has provided you with a
clouds.yamlfile for you to access the cloud. The
python-openstackclientpackage resides on your workstation.$ dnf list installed python-openstackclientThe Networking service must support the following API extensions:
-
agent-resources-synced -
port-resource-request -
qos-bw-minimum-ingress
-
- You must use the ML2/OVN or ML2/SR-IOV mechanism drivers.
- You can only modify a minimum bandwidth QoS policy when there are no instances using any of the ports the policy is assigned to. The Networking service cannot update the Placement API usage information if a port is bound.
- The Placement service must support microversion 1.29.
- The Compute service (nova) must support microversion 2.72.
Procedure
Confirm that the system
OS_CLOUDvariable is set for your cloud:$ echo $OS_CLOUD my_cloudReset the variable if necessary:
$ export OS_CLOUD=my_other_cloudAs an alternative, you can specify the cloud name by adding the
--os-cloud <cloud_name>option each time you run anopenstackcommand.Confirm that the
qosservice plug-in is loaded in the Networking service:$ openstack network qos policy listIf the
qosservice plug-in is not loaded, then you receive aResourceNotFounderror, and you must load theqosservices plug-in before you can continue. For more information, see your RHOSO administrator.Identify the ID of the project you want to create the QoS policy for:
$ openstack project list- Sample output
+----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors | | 519e6344f82e4c079c8e2eabb690023b | services | | 80bf5732752a41128e612fe615c886c6 | demo | | 98a2f53c20ce4d50a40dac4a38016c69 | admin | +----------------------------------+----------+
Using the project ID from the previous step, create a QoS policy for the project.
- Example
In this example, a QoS policy named
guaranteed_min_bwis created for theadminproject:$ openstack network qos policy create --share \ --project 98a2f53c20ce4d50a40dac4a38016c69 guaranteed_min_bw
Configure the rules for the policy.
- Example
In this example, QoS rules for ingress and egress with a minimum bandwidth of
40000000kbps are created for the policy namedguaranteed_min_bw:$ openstack network qos rule create \ --type minimum-bandwidth --min-kbps 40000000 \ --ingress guaranteed_min_bw $ openstack network qos rule create \ --type minimum-bandwidth --min-kbps 40000000 \ --egress guaranteed_min_bw
Configure a port to apply the policy to.
- Example
In this example, the
guaranteed_min_bwpolicy is applied to port ID,56x9aiw1-2v74-144x-c2q8-ed8w423a6s12:$ openstack port set --qos-policy guaranteed_min_bw \ 56x9aiw1-2v74-144x-c2q8-ed8w423a6s12
4.2. Limiting network traffic by using QoS policies
You can create a Red Hat OpenStack Services on OpenShift (RHOSO) Networking service (neutron) quality of service (QoS) policy that limits the bandwidth on your RHOSP networks, ports, floating IPs, or gateway IPs (technology preview) and drops any traffic that exceeds the specified rate.
Prerequisites
-
Your administrator has enabled the Networking service with the
qosservice plug-in. (The plug-in is loaded by default.) -
The administrator has created a project for you and has provided you with a
clouds.yamlfile for you to access the cloud. The
python-openstackclientpackage resides on your workstation.$ dnf list installed python-openstackclient
Procedure
Confirm that the system
OS_CLOUDvariable is set for your cloud:$ echo $OS_CLOUD my_cloudReset the variable if necessary:
$ export OS_CLOUD=my_other_cloudAs an alternative, you can specify the cloud name by adding the
--os-cloud <cloud_name>option each time you run anopenstackcommand.Confirm that the
qosservice plug-in is loaded in the Networking service:$ openstack network qos policy listIf the
qosservice plug-in is not loaded, then you receive aResourceNotFounderror, and you must load theqosservices plug-in before you can continue. For more information, see your RHOSO administrator.Identify the ID of the project you want to create the QoS policy for:
$ openstack project list- Sample output
+----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors | | 519e6344f82e4c079c8e2eabb690023b | services | | 80bf5732752a41128e612fe615c886c6 | demo | | 98a2f53c20ce4d50a40dac4a38016c69 | admin | +----------------------------------+----------+
Using the project ID from the previous step, create a QoS policy for the project.
- Example
In this example, a QoS policy named
bw-limiteris created for theadminproject:$ openstack network qos policy create --share --project 98a2f53c20ce4d50a40dac4a38016c69 bw-limiter
Configure the rules for the policy.
NoteYou can add more than one rule to a policy, as long as the type or direction of each rule is different. For example, You can specify two bandwidth-limit rules, one with egress and one with ingress direction.
- Example
In this example, QoS ingress and egress rules are created for the policy named
bw-limiterwith a bandwidth limit of50000kbps and a maximum burst size of50000kbps:$ openstack network qos rule create --type bandwidth-limit \ --max-kbps 50000 --max-burst-kbits 50000 --ingress bw-limiter $ openstack network qos rule create --type bandwidth-limit \ --max-kbps 50000 --max-burst-kbits 50000 --egress bw-limiter
You can create a port with a policy attached to it, or attach a policy to a pre-existing port.
- Example - create a port with a policy attached
In this example, the policy
bw-limiteris associated with portport2:$ openstack port create --qos-policy bw-limiter --network private port2- Sample output
+-----------------------+--------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | | | binding_profile | | | binding_vif_details | | | binding_vif_type | unbound | | binding_vnic_type | normal | | created_at | 2024-09-19T19:20:24Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='192.0.2.210', subnet_id='292f8c-...' | | id | f51562ee-da8d-42de-9578-f6f5cb248226 | | ip_address | None | | mac_address | fa:16:3e:d9:f2:ba | | name | port2 | | network_id | 55dc2f70-0f92-4002-b343-ca34277b0234 | | option_name | None | | option_value | None | | port_security_enabled | False | | project_id | 98a2f53c20ce4d50a40dac4a38016c69 | | qos_policy_id | 8491547e-add1-4c6c-a50e-42121237256c | | revision_number | 6 | | security_group_ids | 0531cc1a-19d1-4cc7-ada5-49f8b08245be | | status | DOWN | | subnet_id | None | | tags | [] | | trunk_details | None | | updated_at | 2024-09-19T19:23:00Z | +-----------------------+--------------------------------------------------+- Example - attach a policy to a pre-existing port
In this example, the policy
bw-limiteris associated withport1:$ openstack port set --qos-policy bw-limiter port1
4.3. Prioritizing network traffic by using DSCP marking QoS policies
You can use differentiated services code point (DSCP) to implement quality of service (QoS) policies on your Red Hat OpenStack Services on OpenShift (RHOSO) network by embedding relevant values in the IP headers. The RHOSP Networking service (neutron) QoS policies can use DSCP marking to manage only egress traffic on neutron ports and networks.
Prerequisites
-
Your administrator has enabled the Networking service with the
qosservice plug-in. (The plug-in is loaded by default.) -
The administrator has created a project for you and has provided you with a
clouds.yamlfile for you to access the cloud. The
python-openstackclientpackage resides on your workstation.$ dnf list installed python-openstackclient
Procedure
Confirm that the system
OS_CLOUDvariable is set for your cloud:$ echo $OS_CLOUD my_cloudReset the variable if necessary:
$ export OS_CLOUD=my_other_cloudAs an alternative, you can specify the cloud name by adding the
--os-cloud <cloud_name>option each time you run anopenstackcommand.Confirm that the
qosservice plug-in is loaded in the Networking service:$ openstack network qos policy listIf the
qosservice plug-in is not loaded, then you receive aResourceNotFounderror, and you must configure the Networking service before you can continue. For more information, see your RHOSO administrator.Identify the ID of the project you want to create the QoS policy for:
$ openstack project list- Sample output
+----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors | | 519e6344f82e4c079c8e2eabb690023b | services | | 80bf5732752a41128e612fe615c886c6 | demo | | 98a2f53c20ce4d50a40dac4a38016c69 | admin | +----------------------------------+----------+
Using the project ID from the previous step, create a QoS policy for the project.
- Example
In this example, a QoS policy named
qos-web-serversis created for theadminproject:openstack network qos policy create --project 98a2f53c20ce4d50a40dac4a38016c69 qos-web-servers
Create a DSCP rule and apply it to a policy.
- Example
In this example, a DSCP rule is created using DSCP mark
18and is applied to theqos-web-serverspolicy:openstack network qos rule create --type dscp-marking --dscp-mark 18 qos-web-servers- Sample output
Created a new dscp_marking_rule: +-----------+--------------------------------------+ | Field | Value | +-----------+--------------------------------------+ | dscp_mark | 18 | | id | d7f976ec-7fab-4e60-af70-f59bf88198e6 | +-----------+--------------------------------------+
You can change the DSCP value assigned to a rule.
- Example
In this example, the DSCP mark value is changed to
22for the rule,d7f976ec-7fab-4e60-af70-f59bf88198e6, in theqos-web-serverspolicy:$ openstack network qos rule set --dscp-mark 22 qos-web-servers d7f976ec-7fab-4e60-af70-f59bf88198e6
You can delete a DSCP rule.
- Example
In this example, the DSCP rule,
d7f976ec-7fab-4e60-af70-f59bf88198e6, in theqos-web-serverspolicy is deleted:$ openstack network qos rule delete qos-web-servers d7f976ec-7fab-4e60-af70-f59bf88198e6
Verification
Confirm that the DSCP rule is applied to the QoS policy.
- Example
In this example, the DSCP rule,
d7f976ec-7fab-4e60-af70-f59bf88198e6is applied to the QoS policy,qos-web-servers:$ openstack network qos rule list qos-web-servers- Sample output
+-----------+--------------------------------------+ | dscp_mark | id | +-----------+--------------------------------------+ | 18 | d7f976ec-7fab-4e60-af70-f59bf88198e6 | +-----------+--------------------------------------+
4.4. Applying QoS policies to projects by using Networking service RBAC
With the Red Hat OpenStack Platform (RHOSP) Networking service (neutron), you can add a role-based access control (RBAC) for quality of service (QoS) policies. As a result, you can apply QoS policies to individual projects.
Prerequisites
- You must have one or more QoS policies available.
Procedure
Create an RHOSP Networking service RBAC policy associated with a specific QoS policy, and assign it to a specific project:
$ openstack network rbac create --type qos_policy --target-project <project_name | project_ID> --action access_as_shared <QoS_policy_name | QoS_policy_ID>- Example
For example, you might have a QoS policy that allows for lower-priority network traffic, named
bw-limiter. Using a RHOSP Networking service RBAC policy, you can apply the QoS policy to a specific project:$ openstack network rbac create --type qos_policy --target-project 80bf5732752a41128e612fe615c886c6 --action access_as_shared bw-limiter
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}