Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] How to pin a vSRX process to CPU resources not shared by vhost processes

0

0

Article ID: KB35758 KB Last Updated: 06 May 2020Version: 1.0
Summary:

There are a few requirements for deploying vSRX on a compute node, which is in kernel mode, in order to achieve optimal performance. One requirement is that vSRX should use dedicated CPU resources that are not shared by vhost processes.

This article describes how to check the CPU cores that are pinning on a vSRX process and how to move vhost processes to use different CPU cores.

 

Symptoms:

Users may observe occasional traffic loss when traffic goes through the vSRX firewall. Packet captures via tcpdump -i <tap_id> reveal that some packets that are showing on the TAP interface ingressing the vSRX instance are not egressing the vSRX TAP interface.

 

Cause:

When the CPU allocation for the vSRX instance is checked, it is seen to use two CPUs, 8 and 36, as highlighted below. In our example, vSRX has KVM ID #6 in the virsh list command.

$ virsh dumpxml 6|grep vcpu 

<nova:vcpus>2</nova:vcpus>
  <vcpu placement='static'>2</vcpu>
  <cputune>
    <vcpupin vcpu='0' cpuset='8'/>
    <vcpupin vcpu='1' cpuset='36'/>
    <emulatorpin cpuset='10-11'/>
  </cputune>
  <cpu mode='host-model'>
      <cell id='0' cpus='0-1' memory='4194304' unit='KiB'/>
  </cpu>‚Äč
If we check the CPU resources used by vhost, 8 and 36 are used by vhost as well.
# pgrep vhost- | while read line ; do taskset -pc $line;done

pid 10520's current affinity list: 8,36
pid 10521's current affinity list: 8,36
pid 10522's current affinity list: 8,36
pid 10523's current affinity list: 8,36

This CPU sharing introduces performance issues for TX/RX of vSRX from/to the Linux kernel as shown below:

 

Solution:

In the aforementioned user case, we can manually ping a different set of CPUs to vhost as shown:

# taskset -p -c 10,11 10520
pid 10520's current affinity list: 8,36
pid 10520's new affinity list: 10,11

The same taskset command needs to be performed for all vhost processes such that none of them shares CPU resources with vSRX.

# pgrep vhost- | while read line ; do taskset -pc $line;done

pid 10520's current affinity list: 10,11
pid 10521's current affinity list: 10,11
pid 10522's current affinity list: 10,11
pid 10523's current affinity list: 10,11

The effect of the above change is described in the following image:

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search