On 6/17/24 12:43, Marco Moock wrote:
Am 17.06.2024 um 11:58:49 Uhr schrieb R C:
I was wondering, in high performance environments (high compute loads, high bandwith loads(IB)), is it a concern to run a firewall for network performance reasons? Also, with high compute loads, I heard/read a rumor that a firewall might actually cap traffic?
Depending on the rules (SPI needs much more resources than stateless) and the traffic, there will be an impact. I can feel that effect on the Cisco SPI firewall in my C886va if I use it on links that have high traffic.
Well, I am talking about firewalld, RHEL8. Regardless of SPI. My reasoning is, a firewall needs to check pretty much every packet a node receives. A node, compute or data node, receives a lot of traffic (That's why Infiniband is used, IB) and a compute node uses a lot of cycles, typicaly one tries to come as close to the number of flops to be used (also threads/ranks and core use). So every incoming packet needs to be done something firewall wise (which takes cycles) so that has an impact on bandwith between nodes. On the other hand machines "running at/close to max" don't have of cycles to spare. So a busy compute node with a lot of traffic mightbe seriously impacted(?). Are there any available metrics, or what would be a good way to 'predict' that?
If you need a firewall, you need to provide enough resources to run it properly without a performance import.
That's the question, enough resources, how do you determine how much resources a compute node would need?
Ron