The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 1839103 - [RFE] ovn-controller should clear conntrack entries as part of load balancer cleanup
Summary: [RFE] ovn-controller should clear conntrack entries as part of load balancer ...
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn23.03
Version: RHEL 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ales Musil
QA Contact: ying xu
URL:
Whiteboard:
Depends On: 2120546
Blocks: 2106554
TreeView+ depends on / blocked
 
Reported: 2020-05-22 13:43 UTC by Jacob Tanenbaum
Modified: 2024-05-01 05:27 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2043094 1 high CLOSED ovnkube-node not deleting stale conntrack entries when endpoints go away 2022-08-18 00:33:16 UTC
Red Hat Issue Tracker FD-685 0 None None None 2022-03-15 10:20:00 UTC

Description Jacob Tanenbaum 2020-05-22 13:43:25 UTC
Description of problem:

When removing a load balancer backend as part of cleaning up  the network resource it should be clearing any conntrack entries currently associated with the load balancer backend being removed

Comment 1 Dan Williams 2020-07-13 16:31:09 UTC
OpenShift worked around this by clearing UDP conntrack entries in ovn-kubernetes. Note that we only care about UDP conntrack. We also found that we had to clear conntrack entries on *all* nodes when a logical port went away, because even if the logical port was bound to chassis A there might be conntrack entries on chassis B if a pod on chassis B was trying to talk to that now-deleted pod on chassis A.

Comment 5 Tim Rozet 2022-07-18 15:55:46 UTC
Note we are also hitting this issue in OVNK CI now:
https://bugzilla.redhat.com/show_bug.cgi?id=1990335#c3

I think the deletion of the CT entry needs to be triggered by ovn-controller. If ovnkube-node is responsible, it will have to periodically "sync" all of the endpoints in the cluster and compare that to all of the CT entries in the DNAT zone. This is because there we need to remove the endpoint only after it has been removed via OpenFlow. If ovn-controller is responsible for this action, then it can do it after it knows it deleted the endpoint from the OF group and it knows specifically which endpoint it is. 

Talking with Dumitru this morning we discussed several options. Since ovn-controller is unaware of the OVS datapath being used it is unable to know whether or not kernel or userspace CT is being used and therefore does not call netlink directly. It typically issues an OF command to OVS to signal to OVS to clear conntrack. However there is no support for a specific command to clear a single conntrack entry by filter, so this path would require OVS library changes as well as OVN changes.

Dumitru suggested a more simple fix where we could provide a script that ovn-controller would call when an endpoint is removed. A user could pass any script they want via an argument to ovn-controller binary, but an example script could be provided in the library that flushes the conntrack entry. Then in CNO we could just set the argument in ovn-controller like --endpoint-delete-script and that would then call a bash script that would call conntrack-utils to delete the entry.

Comment 6 Dumitru Ceara 2022-07-18 18:43:36 UTC
(In reply to Tim Rozet from comment #5)

[...]

> Dumitru suggested a more simple fix where we could provide a script that
> ovn-controller would call when an endpoint is removed. A user could pass any
> script they want via an argument to ovn-controller binary, but an example
> script could be provided in the library that flushes the conntrack entry.
> Then in CNO we could just set the argument in ovn-controller like
> --endpoint-delete-script and that would then call a bash script that would
> call conntrack-utils to delete the entry.

Just a note on this part, Tim raised the question about potential
performance impact (because of calling a bash script on every endpoint
deletion):

We could try to design a solution where a dedicated ovn-controller thread
takes care of eventually flushing conntrack for removed endpoints by
calling the external binary/script. These request could be queued by the
main thread when deletion happens.  Like this, any potential delays
incurred by exec-ing an external tool should not affect the main
processing loop in ovn-controller.

Comment 7 Dumitru Ceara 2022-08-23 08:37:37 UTC
OVS RFE for the "long-term" solution of informing ovs-vswitchd to flush conntrack entries that correspond to a given backend:

https://bugzilla.redhat.com/show_bug.cgi?id=2120546

Comment 8 Dumitru Ceara 2022-09-29 14:42:19 UTC
After a follow up discussion with Tim we decided to avoid the script "short term" solution and work towards a real fix:
- support filtered conntrack flushing in OVS via an OF extension (bug 2120546)
- use this new feature in ovn-controller when we detect backends being removed

If needed, until the fix lands in OVS/OVN, ovn-kubernetes can work around the problem by periodically checking and cleaning up conntrack state for pods that are local to the node.

Comment 9 timeline 2022-11-04 08:17:55 UTC Comment hidden (spam)
Comment 10 Ales Musil 2023-01-24 15:12:19 UTC
Patches posted u/s: https://patchwork.ozlabs.org/project/ovn/list/?series=338239


Note You need to log in before you can comment on or make changes to this bug.