From ef010e6456b796b5fc7bcf33793255ccd89b53a6 Mon Sep 17 00:00:00 2001 From: "Michael J. Carmody" Date: Tue, 24 Sep 2019 16:12:09 +1000 Subject: feature: adding notes for running on vmware around contending memory and memory management in low memory situations --- docs/appendix/vyos-on-vmware.rst | 32 ++++++++++++++++++++++++++++++++ docs/index.rst | 1 + 2 files changed, 33 insertions(+) create mode 100644 docs/appendix/vyos-on-vmware.rst (limited to 'docs') diff --git a/docs/appendix/vyos-on-vmware.rst b/docs/appendix/vyos-on-vmware.rst new file mode 100644 index 00000000..85b4cef5 --- /dev/null +++ b/docs/appendix/vyos-on-vmware.rst @@ -0,0 +1,32 @@ +.. _vyosonvmware: + +Running on VMWare ESXi +##################### + +ESXi 5.5 or later +**************** + +.ova files are available for supporting users, and a VyOS can also be stood up using a generic Linux instance, and attaching the bootable ISO file and installing from the ISO +using the normal process around `install image`. + +.. NOTE:: There have been previous documented issues with GRE/IPSEC tunneling using the E1000 adapter on the VyOS guest, and use of the VMXNET3 has been advised. + +Memory Contention Considerations +-------------------------------- +When the underlying ESXi host is approaching ~92% memory utilisation it will start the balloon process in s a 'soft' state to start reclaiming memory from guest operating systems. +This causes an artifical pressure using the vmmemctl driver on memory usage on the virtual guest. As VyOS by default does not have a swap file, this vmmemctl pressure is unable to +force processes to move in memory data to the paging file, and blindly consumes memory forcing the virtual guest into a low memory state with no way to escape. The balloon can expand to 65% of +guest allocated memory, so a VyOS guest running >35% of memory usage, can encoutner an out of memory situation, and trigger the kernel oom_kill process. At this point a weighted +lottery favouring memory hungry processes will be run with the unlucky winner being terminated by the kernel. + +It is advised that VyOS routers are configured in a resource group with adequate memory reservations so that ballooning is not inflicted on virtual VyOS guests. + + + + + +References +---------- + +https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-killer.html + diff --git a/docs/index.rst b/docs/index.rst index 58461850..59b74b38 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -43,6 +43,7 @@ as a router and firewall platform for cloud deployments. appendix/troubleshooting.rst appendix/examples/index.rst appendix/commandtree/index.rst + appendix/vyos-on-vmware.rst appendix/vyos-on-baremetal.rst appendix/migrate-from-vyatta.rst -- cgit v1.2.3 From dde537bb3fc1149c06b91784adba0be9fe1daf43 Mon Sep 17 00:00:00 2001 From: SquirePug <42793435+SquirePug@users.noreply.github.com> Date: Tue, 24 Sep 2019 16:27:19 +1000 Subject: Update vyos-on-vmware.rst --- docs/appendix/vyos-on-vmware.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/appendix/vyos-on-vmware.rst b/docs/appendix/vyos-on-vmware.rst index 85b4cef5..27801b4f 100644 --- a/docs/appendix/vyos-on-vmware.rst +++ b/docs/appendix/vyos-on-vmware.rst @@ -1,10 +1,10 @@ .. _vyosonvmware: Running on VMWare ESXi -##################### +###################### ESXi 5.5 or later -**************** +***************** .ova files are available for supporting users, and a VyOS can also be stood up using a generic Linux instance, and attaching the bootable ISO file and installing from the ISO using the normal process around `install image`. -- cgit v1.2.3 From e7419859954cdc549e3e3a514936817754e72dda Mon Sep 17 00:00:00 2001 From: SquirePug <42793435+SquirePug@users.noreply.github.com> Date: Tue, 24 Sep 2019 16:29:17 +1000 Subject: Update vyos-on-vmware.rst --- docs/appendix/vyos-on-vmware.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/appendix/vyos-on-vmware.rst b/docs/appendix/vyos-on-vmware.rst index 27801b4f..6feb95ba 100644 --- a/docs/appendix/vyos-on-vmware.rst +++ b/docs/appendix/vyos-on-vmware.rst @@ -16,7 +16,7 @@ Memory Contention Considerations When the underlying ESXi host is approaching ~92% memory utilisation it will start the balloon process in s a 'soft' state to start reclaiming memory from guest operating systems. This causes an artifical pressure using the vmmemctl driver on memory usage on the virtual guest. As VyOS by default does not have a swap file, this vmmemctl pressure is unable to force processes to move in memory data to the paging file, and blindly consumes memory forcing the virtual guest into a low memory state with no way to escape. The balloon can expand to 65% of -guest allocated memory, so a VyOS guest running >35% of memory usage, can encoutner an out of memory situation, and trigger the kernel oom_kill process. At this point a weighted +guest allocated memory, so a VyOS guest running >35% of memory usage, can encounter an out of memory situation, and trigger the kernel oom_kill process. At this point a weighted lottery favouring memory hungry processes will be run with the unlucky winner being terminated by the kernel. It is advised that VyOS routers are configured in a resource group with adequate memory reservations so that ballooning is not inflicted on virtual VyOS guests. -- cgit v1.2.3 From 85b00dbed71eb66a2f815289c37c6d472738a7e9 Mon Sep 17 00:00:00 2001 From: SquirePug <42793435+SquirePug@users.noreply.github.com> Date: Wed, 30 Oct 2019 14:27:42 +1100 Subject: Update dmvpn.rst --- docs/vpn/dmvpn.rst | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index 5b206c57..e53a013a 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -36,7 +36,7 @@ Baseline Configuration: The tunnel will be set to mGRE if for encapsulation `gre` is set, and no `remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip` -can be set to "0.0.0.0" +can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, the interface will need to be `delete`'d from the config and recreated without the `remote-ip` config ever being set. .. figure:: ../_static/images/vpn_dmvpn_topology01.png :scale: 40 % @@ -160,6 +160,11 @@ HUB Example Configuration: set protocols static route 0.0.0.0/0 next-hop 1.1.1.2 set protocols static route 192.168.2.0/24 next-hop 10.0.0.2 set protocols static route 192.168.3.0/24 next-hop 10.0.0.3 + +HUB on AWS Configuration Specifics +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the offical AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console) SPOKE Configuration ^^^^^^^^^^^^^^^^^^^ @@ -412,4 +417,4 @@ SPOKE2 Example Configuration .. _RFC2332: https://tools.ietf.org/html/rfc2332 .. _RFC1702: https://tools.ietf.org/html/rfc1702 -.. _RFC4301: https://tools.ietf.org/html/rfc4301 \ No newline at end of file +.. _RFC4301: https://tools.ietf.org/html/rfc4301 -- cgit v1.2.3