yahoo-eng-team team mailing list archive

[Dustin Lundquist <dustin@xxxxxxxxxxxx>]

Public bug reported:

This limitation arose in while testing Neutron LBaaS using the HAProxy
namespace driver, but applies to other proxying type backends including
Octavia. A single load balancer instance (network namespace, or amphora)
can only establish as many concurrent TCP connections to a single pool
member as there are available distinct source IP, source TCP port
combinations on the load balancing instance (network namespace or
amphora). The source TCP port range is limited by the configured
ephemeral port range, but this can be tuned to include all the
unprivileged TCP ports (1024 - 65535) via sysctl. The available source
addresses are limited to IP addresses bound to the instance, for the
load balancing instance must be able to receive the response from the
pool member.

In short the total number of concurrent TCP connections to any single
backend is limited to 64k times the number of available source IP
addresses. This is because each TCP connection is identified by the
4-tuple: (src-ip, src-port, dst-ip, dst-port) and (dst-ip, dst-port) is
used to define a specific pool member. TCP ports are limited by the
16bit field in the TCP protocol definition. In order to further increase
the number of possible connections from a load balancing instance to a
single backend we must increase this tuple space by increasing the
number of available source IP addresses.

Therefore, I propose we offer an option to attach multiple fixed-ips in
the same subnet to the Neutron port of the load balancing instance
facing the pool member. This would increase the tuple space allowing
more than 64k concurrent connections to a single backend.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: lbaas rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1629066

Title:
  RFE Optionally bind load balancer instance to multiple IPs to increase
  available (source IP, source port) space to support > 64k connections
  to a single backend

Status in neutron:
  New

Bug description:
  This limitation arose in while testing Neutron LBaaS using the HAProxy
  namespace driver, but applies to other proxying type backends
  including Octavia. A single load balancer instance (network namespace,
  or amphora) can only establish as many concurrent TCP connections to a
  single pool member as there are available distinct source IP, source
  TCP port combinations on the load balancing instance (network
  namespace or amphora). The source TCP port range is limited by the
  configured ephemeral port range, but this can be tuned to include all
  the unprivileged TCP ports (1024 - 65535) via sysctl. The available
  source addresses are limited to IP addresses bound to the instance,
  for the load balancing instance must be able to receive the response
  from the pool member.

  In short the total number of concurrent TCP connections to any single
  backend is limited to 64k times the number of available source IP
  addresses. This is because each TCP connection is identified by the
  4-tuple: (src-ip, src-port, dst-ip, dst-port) and (dst-ip, dst-port)
  is used to define a specific pool member. TCP ports are limited by the
  16bit field in the TCP protocol definition. In order to further
  increase the number of possible connections from a load balancing
  instance to a single backend we must increase this tuple space by
  increasing the number of available source IP addresses.

  Therefore, I propose we offer an option to attach multiple fixed-ips
  in the same subnet to the Neutron port of the load balancing instance
  facing the pool member. This would increase the tuple space allowing
  more than 64k concurrent connections to a single backend.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1629066/+subscriptions