Bug 2086688

Summary: [TestOnly] OVS TC Flower offload with Conntrack (GA)
Product: Red Hat OpenStack Reporter: Haresh Khandelwal <hakhande>
Component: openvswitchAssignee: Haresh Khandelwal <hakhande>
Status: VERIFIED --- QA Contact: Miguel Angel Nieto <mnietoji>
Severity: high Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: apevec, chrisw, ekuris, gregraka, gurpsing, jamsmith, mariel, vkhitrin
Target Milestone: gaKeywords: FutureFeature, TestOnly, Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
RHOSP 17.1 GA supports the offloading of OpenFlow flows to hardware with the connection tracking (conntrack) module. For more information, see link:{defaultURL}/configuring_network_functions_virtualization/part-sriov-nfv-configuration#components_of_ovs_hardware_offload[Components of OVS hardware offload] in the _Configuring network functions virtualization_ guide.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Haresh Khandelwal 2022-05-16 13:08:07 UTC 
Description of problem:

About Feature:
Today Telco customers are asked to turn off security groups on datapath interfaces  like OVS-DPDK because connection tracking reduces performance by 50%. API and control plane connections that need security groups use different interfaces.

OVS Connection tracking for the Mobile usecase presentation at OVS conference Nov 2017: 
https://docs.google.com/presentation/d/1yn4mHBsk-_nW8nmTlrKLIkPu304MJK269oekjCU-OAM/edit#slide=id.gb6f3e2d2d_2_213

Most NFV/Telco applications are not stateful and don't need conntrack but OpenStack implements security groups as conntrack and turning off security groups implies there is no access control or network policy enforcement for NFV usecases.

If conntrack flow can be offloaded to the SmartNIC with OVS TC flower offload this implies security groups can be enabled on datapath interfaces. Need to measure connection rate and bandwidth with connection tracking offload.

Additionally, openstack implements NAT using CT. Having offloaded NAT to HW, provides North-South traffic can be terminated at compute node itself.

Connection tracking offload TPed in 16.2.3 (Bz#1846101). This Bz should graduate this feature to GA.

RHEL supports CT offload from RHEL9.0 onward. OSP17 & on wards should be the ideal OSP release to GA this feature.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Reference links:
https://issues.redhat.com/browse/RHELBU-616
https://issues.redhat.com/browse/RHELPLAN-76507
Comment 7 Miguel Angel Nieto 2023-03-30 07:50:49 UTC 
I have verified the feature sucessfully
https://polarion.engineering.redhat.com/polarion/#/project/RHELOpenStackPlatform/testruns?query=20230317-1557

I only had issues with transparent vlan related with conntrack
https://bugzilla.redhat.com/show_bug.cgi?id=2176775

And these other bzs related mellanox
https://bugzilla.redhat.com/show_bug.cgi?id=2175802
https://bugzilla.redhat.com/show_bug.cgi?id=2172181

It has not been able to run performance in 17.1 due to other bzs:
https://bugzilla.redhat.com/show_bug.cgi?id=2179366
https://bugzilla.redhat.com/show_bug.cgi?id=2182371