Bug 1836804
| Summary: | [OVN] Investigate if on a logical switch with stateful ACLs conntrack usage can be optimized. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Dumitru Ceara <dceara> |
| Component: | OVN | Assignee: | Numan Siddique <nusiddiq> |
| Status: | CLOSED ERRATA | QA Contact: | Jianlin Shi <jishi> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | FDP 20.E | CC: | ctrautma, nusiddiq |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-16 16:01:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified on rhel8 version: [root@dell-per740-42 bz1836804]# ovs-dpctl dump-flows | grep "in_port(2" recirc_id(0x4),in_port(2),ct_state(-new+est-rel-rpl-inv+trk),ct_label(0/0x3),eth(src=00:00:00:01:01:02,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(src=192.168.1.0/255.255.255.128,dst=192.168.2.1,proto=1,tos=0/0x3,ttl=64,frag=no), packets:31, bytes:3038, used:0.793s, actions:ct_clear,ct_clear,set(tunnel(tun_id=0x3,dst=20.0.50.26,ttl=64,tp_dst=6081,geneve({class=0x102,type=0x80,len=4,0x10002}),flags(df|csum|key))),set(eth(src=00:00:00:00:00:02,dst=00:00:00:02:01:02)),set(ipv4(ttl=63)),4 recirc_id(0),in_port(2),eth(src=00:00:00:00:00:00/01:00:00:00:00:00,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(dst=192.168.2.0/255.255.254.0,proto=1,frag=no), packets:32, bytes:3136, used:0.793s, actions:ct(zone=1),recirc(0x4) <=== 2 flows [root@dell-per740-42 bz1836804]# rpm -qa | grep -E "openvswitch|ovn" openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch openvswitch2.13-2.13.0-58.el8fdp.x86_64 ovn2.13-host-20.06.2-3.el8fdp.x86_64 ovn2.13-20.06.2-3.el8fdp.x86_64 ovn2.13-central-20.06.2-3.el8fdp.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3769 |
tested with following script: server: systemctl start openvswitch systemctl start ovn-northd ovn-nbctl set-connection ptcp:6641 ovn-sbctl set-connection ptcp:6642 ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:20.0.50.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.50.25 systemctl restart ovn-controller ip netns add server0 ip link add veth0_s0 netns server0 type veth peer name veth0_s0_p ip netns exec server0 ip link set lo up ip netns exec server0 ip link set veth0_s0 up ip netns exec server0 ip link set veth0_s0 address 00:00:00:01:01:02 ip netns exec server0 ip addr add 192.168.1.1/24 dev veth0_s0 ip netns exec server0 ip -6 addr add 2001::1/64 dev veth0_s0 ip netns exec server0 ip route add default via 192.168.1.254 dev veth0_s0 ip netns exec server0 ip -6 route add default via 2001::a dev veth0_s0 ovs-vsctl add-port br-int veth0_s0_p ip link set veth0_s0_p up ovs-vsctl set interface veth0_s0_p external_ids:iface-id=ls1p1 ovn-nbctl ls-add ls1 ovn-nbctl lsp-add ls1 ls1p1 ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 192.168.1.1 2001::1" ovn-nbctl lsp-add ls1 ls1p2 ovn-nbctl lsp-set-addresses ls1p2 "00:00:00:01:02:02 192.168.1.2 2001::2" ovn-nbctl lr-add lr1 ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:00:01 192.168.1.254/24 2001::a/64 ovn-nbctl lsp-add ls1 ls1-lr1 ovn-nbctl lsp-set-addresses ls1-lr1 "00:00:00:00:00:01 192.168.1.254 2001::a" ovn-nbctl lsp-set-type ls1-lr1 router ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1 ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:00:02 192.168.2.254/24 2002::a/64 ovn-nbctl ls-add ls2 ovn-nbctl lsp-add ls2 ls2-lr1 ovn-nbctl lsp-set-addresses ls2-lr1 "00:00:00:00:00:02 192.168.2.254 2002::a" ovn-nbctl lsp-set-type ls2-lr1 router ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2 ovn-nbctl lsp-add ls2 ls2p1 ovn-nbctl lsp-set-addresses ls2p1 "00:00:00:02:01:02 192.168.2.1 2002::1" ovn-nbctl lsp-add ls1 ls1p3 ovn-nbctl lsp-set-addresses ls1p3 "00:00:00:01:03:02 192.168.1.3 2001::3" ip netns add server2 ip link add veth0_s2 netns server2 type veth peer name veth0_s2_p ip netns exec server2 ip link set lo up ip netns exec server2 ip link set veth0_s2 up ip netns exec server2 ip link set veth0_s2 address 00:00:00:01:03:02 ip netns exec server2 ip addr add 192.168.1.3/24 dev veth0_s2 ip netns exec server2 ip -6 addr add 2001::3/64 dev veth0_s2 ip netns exec server2 ip route add default via 192.168.1.254 dev veth0_s2 ip netns exec server2 ip -6 route add default via 2001::a dev veth0_s2 ovs-vsctl add-port br-int veth0_s2_p ip link set veth0_s2_p up ovs-vsctl set interface veth0_s2_p external_ids:iface-id=ls1p3 ovn-nbctl lb-add lb0 192.168.1.100 192.168.1.1,192.168.1.2 ovn-nbctl ls-lb-add ls2 lb0 ovn-nbctl ls-lb-add ls1 lb0 ovn-nbctl acl-add ls1 from-lport 900 'inport == "ls1p1" && ip' allow-related ovn-nbctl acl-add ls2 from-lport 900 'ip' allow-related client: systemctl start openvswitch ovs-vsctl set open . external_ids:system-id=hv0 external_ids:ovn-remote=tcp:20.0.50.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.50.26 systemctl start ovn-controller ip netns add server1 ip link add veth0_s1 netns server1 type veth peer name veth0_s1_p ip netns exec server1 ip link set lo up ip netns exec server1 ip link set veth0_s1 up ip netns exec server1 ip link set veth0_s1 address 00:00:00:01:02:02 ip netns exec server1 ip addr add 192.168.1.2/24 dev veth0_s1 ip netns exec server1 ip -6 addr add 2001::2/64 dev veth0_s1 ip netns exec server1 ip route add default via 192.168.1.254 dev veth0_s1 ip netns exec server1 ip -6 route add default via 2001::a dev veth0_s1 ovs-vsctl add-port br-int veth0_s1_p ip link set veth0_s1_p up ovs-vsctl set interface veth0_s1_p external_ids:iface-id=ls1p2 ip netns add client0 ip link add veth0_c0 netns client0 type veth peer name veth0_c0_p ip netns exec client0 ip link set lo up ip netns exec client0 ip link set veth0_c0 up ip netns exec client0 ip link set veth0_c0 address 00:00:00:02:01:02 ip netns exec client0 ip addr add 192.168.2.1/24 dev veth0_c0 ip netns exec client0 ip -6 addr add 2002::1/64 dev veth0_c0 ip netns exec client0 ip route add default via 192.168.2.254 dev veth0_c0 ip netns exec client0 ip -6 route add default via 2002::a dev veth0_c0 ovs-vsctl add-port br-int veth0_c0_p ip link set veth0_c0_p up ovs-vsctl set interface veth0_c0_p external_ids:iface-id=ls2p1 #result on ovn20.06.1-2: [root@dell-per740-42 bz1836804]# rpm -qa | grep -E "openvswitch|ovn" ovn2.13-host-20.06.1-2.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn-common-1.0-7.noarch kernel-kernel-networking-openvswitch-ovn-acl-1.0-13.noarch ovn2.13-central-20.06.1-2.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn-soak_test-1.0-5.noarch openvswitch2.13-2.13.0-48.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn-regression-bz1846300_ipv6_ignore_gateway_mtu-1.0-2.noarch kernel-kernel-networking-openvswitch-ovn-nat-1.0-5.noarch ovn2.13-20.06.1-2.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch [root@dell-per740-42 bz1836804]# ovs-dpctl show 2020-08-31T10:10:48Z|00001|dpif_netlink|INFO|The kernel module does not support meters. system@ovs-system: lookups: hit:103179 missed:284403 lost:282946 flows: 10 masks: hit:666398 total:10 hit/pkt:1.72 port 0: ovs-system (internal) port 1: br-int (internal) port 2: veth0_s0_p port 3: veth0_s2_p port 4: genev_sys_6081 (geneve: packet_type=ptap) [root@dell-per740-42 ~]# ip netns exec server0 ping 192.168.2.1 [root@dell-per740-42 bz1836804]# ip netns exec server0 ping 192.168.2.1 flow for ls1p1: [root@dell-per740-42 bz1836804]# ovs-dpctl dump-flows | grep "in_port(2" 2020-08-31T10:11:19Z|00001|dpif_netlink|INFO|The kernel module does not support meters. recirc_id(0),in_port(2),eth(src=00:00:00:00:00:00/01:00:00:00:00:00,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(dst=192.168.2.0/255.255.254.0,proto=1,frag=no), packets:102, bytes:9996, used:0.588s, actions:ct(zone=1),recirc(0x5) recirc_id(0x9),in_port(2),eth(src=00:00:00:01:01:02,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(dst=192.168.2.0/255.255.254.0,proto=1,frag=no), packets:100, bytes:9800, used:0.588s, actions:ct(zone=1),recirc(0x6) recirc_id(0x6),in_port(2),ct_state(-new+est-rel-rpl-inv+trk),ct_label(0/0x1),eth(src=00:00:00:01:01:02),eth_type(0x0800),ipv4(frag=no), packets:100, bytes:9800, used:0.588s, actions:ct(zone=1,nat),recirc(0xa) recirc_id(0x5),in_port(2),ct_state(-new+est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(frag=no), packets:100, bytes:9800, used:0.588s, actions:ct(zone=1,nat),recirc(0x9) recirc_id(0xa),in_port(2),ct_state(-new+est-rel-rpl-inv+trk),ct_label(0/0x1),eth(src=00:00:00:01:01:02,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(src=192.168.1.0/255.255.255.128,dst=192.168.2.1,tos=0/0x3,ttl=64,frag=no), packets:100, bytes:9800, used:0.588s, actions:ct_clear,ct_clear,set(tunnel(tun_id=0x3,dst=20.0.50.26,ttl=64,tp_dst=6081,geneve({class=0x102,type=0x80,len=4,0x10002}),flags(df|csum|key))),set(eth(src=00:00:00:00:00:02,dst=00:00:00:02:01:02)),set(ipv4(ttl=63)),4 <=== 5 flows result on ovn20.06.2-2: [root@dell-per740-42 bz1836804]# rpm -qa | grep -E "openvswitch|ovn" kernel-kernel-networking-openvswitch-ovn-common-1.0-7.noarch kernel-kernel-networking-openvswitch-ovn-acl-1.0-13.noarch ovn2.13-20.06.2-2.el7fdp.x86_64 ovn2.13-host-20.06.2-2.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn-soak_test-1.0-5.noarch openvswitch2.13-2.13.0-48.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn-regression-bz1846300_ipv6_ignore_gateway_mtu-1.0-2.noarch kernel-kernel-networking-openvswitch-ovn-nat-1.0-5.noarch ovn2.13-central-20.06.2-2.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch [root@dell-per740-42 bz1836804]# ovs-dpctl dump-flows | grep "in_port(2" 2020-08-31T10:12:46Z|00001|dpif_netlink|INFO|The kernel module does not support meters. recirc_id(0x3),in_port(2),ct_state(-new+est-rel-rpl-inv+trk),ct_label(0/0x3),eth(src=00:00:00:01:01:02,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(src=192.168.1.0/255.255.255.128,dst=192.168.2.1,proto=1,tos=0/0x3,ttl=64,frag=no), packets:13, bytes:1274, used:0.053s, actions:ct_clear,ct_clear,set(tunnel(tun_id=0x3,dst=20.0.50.26,ttl=64,tp_dst=6081,geneve({class=0x102,type=0x80,len=4,0x10002}),flags(df|csum|key))),set(eth(src=00:00:00:00:00:02,dst=00:00:00:02:01:02)),set(ipv4(ttl=63)),4 recirc_id(0),in_port(2),eth(src=00:00:00:00:00:00/01:00:00:00:00:00,dst=00:00:00:00:00:01),eth_type(0x0800),ipv4(dst=192.168.2.0/255.255.254.0,proto=1,frag=no), packets:14, bytes:1372, used:0.053s, actions:ct(zone=1),recirc(0x3) <=== 2 flows