13.6. Managing Network Accounting and Shaping¶
Virtuozzo Automator allows you to track the inbound and outbound network traffic as well as to shape (limit) the outgoing traffic for virtual environments.
Note
VM and container traffic is shaped by marking packets’ fwmark field. If the hardware node uses custom packet filtering rules set with the MARK and CONNMARK iptables modules, the traffic shaping feature will not work. Per-container traffic statistics, however, will be correct even if the node uses custom traffic marks.
In order to provide the ability to distinguish between domestic and international traffic, a concept of network classes is introduced. It is important to fully understand this notion, because network classes IDs are used in essentially all network traffic parameters. A network class is a range of IP addresses for which the Virtuozzo software counts and shapes the traffic.
Virtuozzo can have up to 15 different network classes specified. Each class can contain one or more IP address ranges. It is possible to have different bandwidth shaping settings for each class.
Each network class has an ID represented by an integer number and a range of IP addresses presented in the form of ip_address/prefix_length (which conforms to the Classless Inter-Domain Routing scheme).
Class 1 has a special meaning. It is defined by the Virtuozzo software to match any IP address and is always present in the system. Other classes should be defined after Class 1. They represent exceptions from the “matching-everything” rule of Class 1.
Let us consider one of the possible situations. One of the classes (let it be the default Class 1) corresponds to the domestic traffic, and Class 2 is supposed to account for the foreign traffic. The foreign traffic goes through the addresses in two ranges: from 10.0.0.0 to 10.255.255.255 and from 11.0.0.0 to 11.255.255.255 with the exception of addresses in the sub-range of 10.10.16.0 to 10.10.16.255, which are treated as domestic traffic, as well as all other IP addresses. Then the classes configuration shall look like the following:
Class Definition |
Explanation |
|---|---|
|
Any IP address (all traffic). |
|
Addresses for the “foreign” traffic. |
|
More addresses for the “foreign” traffic. |
|
Inside the “foreign” network there is a hole belonging to the “local” traffic. |
As far as the Class 2 addresses in this example are used for foreign routing, the Class 1 addresses are used for local (domestic) routing, by the exclusion method.
13.6.1. Managing Network Accounting and Shaping for Physical Servers¶
Virtuozzo Automator displays the current status and statistics for the network traffic consumed by virtual environments on registered physical server.
Traffic accounting service is available for virtual machines and containers residing on the physical servers with Virtuozzo virtualization software.
The screen is displayed on the Traffic subtab of the Network tab of a physical server.
With traffic accounting service, you can always view the statistics on the network traffic going from and to the physical server for each of the network classes specified in the system. The statistics is garnered from the moment of the latest physical server boot-up and is displayed in the Traffic Accounting table.
The conception of traffic shaping presupposes the limitation of network bandwidth for the traffic going from the physical server to the outer world. The Interfaces Configuration table enumerates the network interfaces (Ethernet cards) installed on the physical server and their bandwidth limit. The most common Fast Ethernet cards have their traffic throughput limited at 100 Mbps, which would be indicated in the Bandwidth column as 102400 Kbps.
Virtuozzo Automator can limit the network bandwidth not for the interface, but for each network class defined in the system and using the given interface. For this reason, the available network classes will be enumerated under each of the existing interfaces in the Rates Configuration table. The Total Rate column specifies the size of the so-called bandwidth pool for each network class being shaped for the given network adapter. The bandwidth from the pool can be borrowed by virtual environments when they need more bandwidth for communicating with hosts from the corresponding network class. It is used to limit the total available outgoing traffic virtual environments can consume. The default value for Network Class 1 on the first Ethernet adapter is 4Mbps.
As to the Rate Guarantee column, its value amounts to the number of kilobits per second any virtual environment is guaranteed to receive for outgoing traffic with the corresponding network class on the given Ethernet device. The default value is 8 Kbps, which means that any virtual environment is guaranteed to receive the bandwidth of at least 8 Kbps for sending data to Class 1 hosts on the first Ethernet device. This bandwidth is not the limit for a virtual environment (though it is possible to make it the limit) - the virtual environment is able to take the needed bandwidth from the bandwidth pool if it is not used by other virtual environments.
Apart from viewing the current state of affairs with the physical server traffic, the Traffic subtab allows you to do the following:
Define the network classes for the physical server traffic by clicking the Configure Accounting button;
Specify the bandwidth limit for the existing network interface cards by clicking the Configure Interfaces button;
Set up the traffic shaping rules for each network interface card on the physical server by clicking the Configure Rates button;
Enable traffic shaping for the physical server by clicking the Enable Shaping button;
Note
You can enable shaping only if you have already completed the first three actions on this list, namely: defined at least one network class, specified the bandwidth limit for the existing NICs, and configured the outgoing traffic rates for each ‘interface-class’ pair.
Disable traffic shaping for the physical server by clicking the Disable Shaping button.
13.6.1.1. Setting Up Network Classes¶
To set up a network class, go to Infrastructure > physical server > Network tab > Traffic subtab and click the Configure Accounting button. The screen allows configuring traffic accounting by creating traffic accounting classes on the physical server and specifying the network for each class.
Virtuozzo Automator allows combining IPv4 and IPv6 addresses within a traffic shaping class. Since a traffic class can include several networks, you just need to add the appropriate networks being constituted of IPv4 and IPv6 addresses.
The Class ID field should be filled with an integer from 0 to 15 representing the ID of the class.
The Network field should indicate the hosts of what network are to be treated as belonging to the given class. The network should be specified in the Classless Inter-Domain Routing format, for example,
212.95.68.0/255.255.255.0for IPv4 or address or 3ffe:1900:4545:3:200:f8ff:fe21:0000/112 for IPv6.The plus icon allows you to add another Class ID/Network line, where you can either define an additional class or an additional network for an already existing class. In the latter case you will have two or more lines with one and the same class ID, but different networks.
The cross icon allows you to delete the given Class ID/Network line.
13.6.1.2. Configuring Network Adapters¶
The Configure Interfaces page (accessible by clicking the Configure Interfaces button on the Traffic subtab of the Network tab of a physical server) enables you to define which network adapters installed on the physical server will be taken into account by Virtuozzo network accounting and shaping policies.
This page lists all the network interface cards installed on the physical server together with their default (or assigned) bandwidth and IP addresses. You are able to manage these interfaces in two ways:
Select or clear the check box beside the corresponding adapter to include it in or exclude from being part of network accounting and shaping.
Adjust the bandwidth value to your liking. Mind though that it is recommended to leave the default hardware value, or at least not to increase it, because it might interfere with the correct working of network accounting and shaping. Another restriction in modifying this value consists in that you cannot make it lower than the Total Rate value of any class defined for the given interface.
13.6.1.3. Configuring Network Shaping¶
The Configure Rates page (accessible by clicking the Configure Rates button on the Traffic subtab of the Network tab of a physical server) allows you to set up all the parameters that define how much bandwidth will be accessible to the virtual machines residing on the physical server. Only the bandwidth for outgoing traffic is considered here.
The page is split into separate groups for each of the network adapters present on the physical server and selected for being shaped on the Configuring Interfaces page (see Configuring Network Adapters in Managing Network Accounting and Shaping for Physical Servers). If there is only one network adapter, it does not form any group. The following information is given and is customizable for each network adapter.
The Bandwidth field specifies the total bandwidth limit of the adapter (in Kbits per second). The most common Fast Ethernet cards have their traffic throughput limited at 100 Mbps, which would be indicated in the Bandwidth field as 102,400 Kbit/s. The value in this field corresponds strictly to the value of the Bandwidth field on the Configuring Interfaces page (see Configuring Network Adapters in Managing Network Accounting and Shaping for Physical Servers). Thus, it is the second place where you can adjust the total bandwidth throughput of the given network interface.
The Virtuozzo software can limit the network bandwidth not for the interface, but for each network class defined in the system and using the given interface. For this reason, the available network classes are enumerated under each of the existing interfaces. The Total rate field specifies the size of the so-called bandwidth pool for each network class being shaped for the given network adapter. The bandwidth from the pool can be borrowed by virtual environments when they need more bandwidth for communicating with hosts from the corresponding network class. It is used to limit the total available outgoing traffic virtual environments can consume. The default value for Network Class 1 on the first Ethernet adapter is 4096, which corresponds to the pool size of 4Mbps. Class 1 is always included in the shaping of all adapters, as this class matches all the network addresses not covered by other, user-defined classes. As to all the other classes, they can be excluded from the shaping if you clear the Enable shaping for this class check box, and included in the shaping if you select the check box.
Finally, the value of the Rate guarantee field amounts to the number of kilobits per second any virtual environment is guaranteed to receive for outgoing traffic with the corresponding network class on the given Ethernet device. The default value is 8, which means that any virtual environment is guaranteed to receive the bandwidth of at least 8 Kbps for sending data to Class 1 hosts on the first Ethernet device. This bandwidth is not the limit for a virtual environment (though it is possible to make it the limit) - the virtual environment is able to take the needed bandwidth from the bandwidth pool if it is not used by other virtual machines.
13.6.2. Managing Network Shaping for Containers¶
The network shaping (setting limit on the available bandwidth for outgoing traffic) is generally defined for each container on the given physical server on the Configure Shaping page in Virtuozzo Automator. The Configure Traffic Shaping page (which you can access by clicking Configure > Shaping on the container toolbar) allows you to redefine some of the shaping parameters for the given particular container.
Network bandwidth management works in the following way. The bandwidth pool for a given network class (indicated on the page as Bandwidth for each network adapter) is divided among the containers transmitting data proportionally to their Rate Guarantee settings. The global Rate Guarantee setting is defined on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers), but can be redefined here in the Container Rate Guarantee field for this given container. If the total value of the rate guarantees of all containers transmitting data does not exceed the bandwidth pool value, each container gets the bandwidth equal or greater than its rate guarantee (unless the Use Container Rate Guarantee as limit radio button is not selected on this page). If the total value of the rate guarantees of all containers transmitting data exceeds the bandwidth pool, each container may get less than its rate guarantee.
It is clear from the above-said that the Use class bandwidth as limit radio button lets the container exceed its rate guarantee, if there is enough spare bandwidth in the pool, whereas the Use Container Rate Guarantee as limit does not let it do so.
Worth to mention here that each network class beginning with 2 cannot be taken into account for the network shaping of this particular container, if the Enable shaping for this class check box is cleared. The default state of this option (selected or cleared) depends on what has been chosen on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers).
13.6.2.1. Viewing Network Shaping Settings for Containers¶
The Shaping subtab of the Network tab allows you to view the shaping parameters for the given particular container. These parameters can either be the default ones or customized already.
The presented table informs you of the container shaping settings for each of the network classes configured on the physical server. If the table is not present, this means that either traffic shaping is disabled on the physical server, or no network classes are configured.
Tip
To configure network classes on a physical server, go to Infrastructure > physical server > Network tab > Traffic subtab.
The Total Rate field informs you on the bandwidth limit that is set for the corresponding class on the physical server, which means that the summary outgoing traffic of all the containers of this physical server to the external addresses belonging to this class cannot exceed this value.
The Rate Guarantee value serves as the guaranteed rate for the given container with this class of addresses. Note though that if the total of all the Rate Guarantee values of all the containers exceeds the Bandwidth value and all the containers will demand traffic at the same moment, each container will have to get less traffic than is guaranteed to it.
13.6.2.2. Configuring Network Shaping for Containers¶
The network shaping (setting limit on the available bandwidth for outgoing traffic) is generally defined for each container on the given physical server on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers). The Configure Traffic Shaping page (which you can access by clicking Configure > Shaping on the container toolbar) allows you to define more precisely some of the shaping parameters for the given particular container. To do this, you should first select the Configure the container rate guarantees manually radio button in the Rate Guarantees Setup group of options.
Shaping is configured separately for each class. The default state of the Enable shaping for this class check box (selected or cleared) depends on what has been chosen on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers). However, you can redefine if the shaping of this class should be turned on or off for this particular container by setting this check box in the appropriate state.
The Total Rate field informs you of the bandwidth limit that is set for the corresponding class on the physical server, which means that the summary outgoing traffic of all the containers of this physical server to the external addresses belonging to this class cannot exceed this value.
The Rate Guarantee value that you can set here will serve as the guaranteed rate for the given container with this class of addresses. Note though that if the total of all the Rate Guarantee values of all the containers exceeds the Bandwidth value and all the containers will demand traffic at the same moment, each container will have to get less traffic than is guaranteed to it.
The Do not allow to exceed the rate guarantees check box, if selected, tells Virtuozzo Automator to keep the container from getting more bandwidth than is defined in its Rate Guarantee values, even if there is spare bandwidth on the physical server for this class. Thus, you can efficiently impose bandwidth rate limits on any container.
13.6.3. Managing Network Shaping for Virtual Machines¶
The network shaping (setting limit on the available bandwidth for outgoing traffic) is generally defined for each virtual machine on the given physical server on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers) in Virtuozzo Automator. The Configure Traffic Shaping page (which you can access by clicking the Configure button on the Shaping subtab of the virtual machine Network tab) allows you to redefine some of the shaping parameters for the given particular virtual machine.
Network bandwidth management works in the following way. The bandwidth pool for a given network class (indicated on the page as Bandwidth for each network adapter) is divided among the virtual machines transmitting data proportionally to their Rate Guarantee settings. The global Rate Guarantee setting is defined on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers), but can be redefined here in the Virtual Machine Rate Guarantee field for this given virtual machine. If the total value of the rate guarantees of all virtual machines transmitting data does not exceed the bandwidth pool value, each virtual machine gets the bandwidth equal or greater than its rate guarantee (unless the Use Virtual Machine Rate Guarantee as limit radio button is not selected on this page). If the total value of the rate guarantees of all virtual machines transmitting data exceeds the bandwidth pool, each virtual machine may get less than its rate guarantee.
It is clear from the above-said that the Use class bandwidth as limit radio button lets the container exceed its rate guarantee, if there is enough spare bandwidth in the pool, whereas the Use Virtual Machine Rate Guarantee as limit does not let it do so.
Worth to mention here that each network class beginning with 2 cannot be taken into account for the network shaping of this particular virtual machine, if the Enable shaping for this class check box is cleared. The default state of this option (selected or cleared) depends on what has been chosen on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers).
13.6.3.1. Viewing Network Shaping Settings for Virtual Machines¶
The Shaping subtab of the Network tab allows you to view the traffic shaping parameters for the given virtual machine. For more information, see Viewing Network Shaping Settings for Containers in Managing Network Shaping for Containers.
13.6.3.2. Configuring Network Shaping for Virtual Machines¶
Network shaping (limiting of outgoing traffic bandwidth) is generally defined for each virtual machine on the given physical server on the Configure Shaping page (see Configuring Network Shaping in Managing Network Accounting and Shaping for Physical Servers) which allows you to fine-tune shaping for the given virtual machine. For more information, see Configuring Network Shaping for Containers in Managing Network Shaping for Containers.