Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1851467

Summary: [OVN] Do not send geneve UDP traffic to conntrack for performance reasons
Product: Red Hat OpenStack Reporter: Daniel Alvarez Sanchez <dalvarez>
Component: openstack-tripleo-heat-templatesAssignee: Miguel Lavalle <mlavalle>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: low Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: bcafarel, jiehuang, jlibosva, jschluet, ltamagno, mburns, mtomaska, tvignaud
Target Milestone: z9Keywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20220805163830.29a02c1.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2163371 (view as bug list) Environment:
Last Closed: 2022-12-07 20:29:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2163371    

Description Daniel Alvarez Sanchez 2020-06-26 15:58:20 UTC 
Right now every TCP connection made by an OpenStack VM that requires tunnelling will create a UDP conntrack entry. This not only has no benefit but core OVN team has identified a performance hit estimated roughly in a 10% in terms of throughput (it varies depending on the number of simultaneous TCP connections that requires tunnelling).

A possible solution to this issue is adding iptables rules in the overcloud nodes to avoid tracking Geneve traffic:

iptables -t raw -A PREROUTING -p udp --dport 6081 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --dport 6081 -j NOTRACK
Comment 3 Miguel Lavalle 2022-07-06 21:39:55 UTC 
The following commit (upstream https://review.opendev.org/c/openstack/tripleo-heat-templates/+/738419) is in branches rhos-17.0-rhel-9-trunk and rhos-17.0-rhel-8-trunk in pkgs.devel.redhat.com/rpms/openstack-tripleo-heat-templates

commit 51e433265b7118d016a3ccba99d00a6896a982a5
Author: OSP Prod Chain <dev-null>
Date:   Sat Aug 15 14:17:27 2020 -0400

    openstack-tripleo-heat-templates-XXX-XXX
    
    Changelog:
    - Update patches
    - [ovn] Don't add conntrack entries for Geneve


I couldn't find the corresponding commits in rhos-16.0-rhel-8-trunk, rhos-16.1-rhel-8-trunk or remotes/origin/rhos-16.2-rhel-8-trunk. So, I'm backporting https://review.opendev.org/c/openstack/tripleo-heat-templates/+/738419 to these branches
Comment 4 Miguel Lavalle 2022-07-06 22:52:33 UTC 
Cherry picked to stable/Train branch upstream: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/848907
Comment 18 errata-xmlrpc 2022-12-07 20:29:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8796
Comment 19 Luigi Tamagnone 2022-12-28 09:38:17 UTC 
It seems the rules have state NEW so didn't match the traffic, I added the code upstream[1] to match it with the state INVALID.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/868743