Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940403

Summary: [ OVN ] hwoffload not working when the instance has a security group
Product: Red Hat OpenStack Reporter: Miguel Angel Nieto <mnietoji>
Component: python-networking-ovnAssignee: ffernand <ffernand>
Status: CLOSED CURRENTRELEASE QA Contact: Miguel Angel Nieto <mnietoji>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: apevec, atragler, cfields, cfontain, dalvarez, ffernand, hakhande, jlibosva, kfida, lhh, lmartins, majopela, oblaut, pgrist, scohen, supadhya
Target Milestone: z7Keywords: Reopened, TestOnly, Triaged
Target Release: 16.1 (Train on RHEL 8.2)Flags: supadhya: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn2.13-20.12.0-115 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-18 18:39:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1955191    
Bug Blocks:    

Description Miguel Angel Nieto 2021-03-18 11:30:39 UTC 
Description of problem:
I have deployed a instance with 3 ports:
- management port attached to a network with port security enabled
- 2 ports attached to a geneve provider network with port security disabled. These two ports has hardware offload configured using a mellanox nic.
The instance has a security group that enables ssh and icmp


Instance:
| 2c7d9e03-c7fa-44e2-b2cc-7261a0c8b5e5 | trex                  | ACTIVE | hwoffload_net_nic0_geneve0=10.10.128.144; hwoffload_net_nic1_geneve1=10.10.129.114; management_net=10.10.114.118, 10.35.185.28 | trex_testpmd_mellanox | 
ports:
(overcloud) [stack@undercloud-0 ~]$ openstack port list | egrep "10.10.114.118|10.10.128.144|10.10.129.114"
| 5458ce06-4ee1-49ed-ab9b-c9f1a70e336f | hwoffload_net_nic0_geneve0_dut_normal_port-0 | fa:16:3e:15:7b:da | ip_address='10.10.128.144', subnet_id='fe35af92-9b18-493e-942d-d3dd1786ad09' | ACTIVE |
| 72a5696b-380d-4a5c-bb2a-e11b34d5a4fa |                                              | fa:16:3e:28:2c:ef | ip_address='10.10.114.118', subnet_id='b034787e-4e77-43b2-b563-57266786d521' | ACTIVE |
| 7303978b-5238-4016-8c5c-3f57081272e5 | hwoffload_net_nic1_geneve1_dut_normal_port-1 | fa:16:3e:d0:13:ad | ip_address='10.10.129.114', subnet_id='b4caecec-b54b-40ec-9ccc-4675688b5627' | ACTIVE |

Configuration of port security in the ports:
(overcloud) [stack@undercloud-0 ~]$ openstack port show 5458ce06-4ee1-49ed-ab9b-c9f1a70e336f | grep port_security
| port_security_enabled   | False                                                                                                                                                            |
(overcloud) [stack@undercloud-0 ~]$ openstack port show 72a5696b-380d-4a5c-bb2a-e11b34d5a4fa | grep port_security
| port_security_enabled   | True                                                                                                                                                             |
(overcloud) [stack@undercloud-0 ~]$ openstack port show 7303978b-5238-4016-8c5c-3f57081272e5 | grep port_security
| port_security_enabled   | False  

Networks:
(overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------------------------+--------------------------------------+
| ID                                   | Name                       | Subnets                              |
+--------------------------------------+----------------------------+--------------------------------------+
| 00e68321-7bd6-47a4-b776-0c036db6aa7c | management_net             | b034787e-4e77-43b2-b563-57266786d521 |
| 0ee2c139-e53e-4ea0-95f5-4f929997320f | hwoffload_net_nic1_geneve1 | b4caecec-b54b-40ec-9ccc-4675688b5627 |
| 655bce7f-2e03-4e69-a828-77e94798058c | hwoffload_net_nic0_geneve0 | fe35af92-9b18-493e-942d-d3dd1786ad09 |
| b2a908a5-d713-4ab1-97b4-361b0c51df0f | external_net_419           | 2401a97f-8011-4836-989b-e2b58ad9ab97 |
+--------------------------------------+----------------------------+--------------------------------------+

Port security in networks:
(overcloud) [stack@undercloud-0 ~]$ openstack network show 00e68321-7bd6-47a4-b776-0c036db6aa7c | grep port_security
| port_security_enabled     | True                                                                                                                                                             |
(overcloud) [stack@undercloud-0 ~]$ openstack network show 0ee2c139-e53e-4ea0-95f5-4f929997320f | grep port_security
| port_security_enabled     | False                                                                                                                                                            |
(overcloud) [stack@undercloud-0 ~]$ openstack network show 655bce7f-2e03-4e69-a828-77e94798058c | grep port_security
| port_security_enabled     | False   
                                                                                                                                                         
This scenario worked with ml2ovs.

If all of the ports have port security disabled and I remove the security group, then traffic is offloaded.

                                   

Version-Release number of selected component (if applicable):
RHOS-16.1-RHEL-8-20210311.n.1


How reproducible:
1. Deploy a hwoffload setup. I used the following templates
https://gitlab.cee.redhat.com/mnietoji/deployment_templates/-/tree/0bbb2e86d5defb51130f6f6ef7f0a5be2a6302b6/ospd-16.1-geneve-ovn-hw-offload-ctlplane-dataplane-bonding-hybrid-panther08
2. Create resources as in the following template
https://gitlab.cee.redhat.com/mnietoji/deployment_templates/-/blob/0bbb2e86d5defb51130f6f6ef7f0a5be2a6302b6/ospd-16.1-geneve-ovn-hw-offload-ctlplane-dataplane-bonding-hybrid-panther08/performance-files/perf_resources_config_geneve.yml
3. ping from one vm to the othe one. Traffic should be offloaded, but it is not offloaded



Actual results:
Traffic is not offloaded


Expected results:
Traffic should be offloaded

Additional info:
Comment 4 ffernand 2021-04-09 13:36:30 UTC 
With Miguel and Chris Fontaine's help we were able to verify that the flow is attempting to use conntrack.

ufid:f516f06a-709f-480d-b11c-fdab2147af5d, skb_priority(0/0),skb_mark(0/0),ct_state(0/0x23),ct_zone(0/0),ct_mark(0/0),ct_label(0/0x1),recirc_id(0),dp_hash(0/0),in_port(enp7s0f1_4),packet_type(ns=0/0,id=0/0),eth(src=fa:16:3e:ea:f9:15,dst=fa:16:3e:d1:05:c6),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:6672, bytes:560448, used:0.280s, dp:tc, actions:push_vlan(vid=116,pcp=0),mx-bond

The caveat with that is that support for offloading these types of packets is not available before OSP16.2, with REL 8.4 + Mellanox updates.

The test is very good, but a little too early for its prime time. ;)
If that os okay with you, let's close this bz as "not a bug" for now and revisit this in the future.
Comment 17 Karrar Fida 2021-06-18 16:28:56 UTC 
Hotfix has been delivered in customer support case 02929139 Fix is included in FDP 21.E and will be picked up in OSP 16.1.7.
Comment 18 Karrar Fida 2021-06-18 16:29:44 UTC 
@supadhya please provide QA ack
Comment 19 Karrar Fida 2021-06-24 11:36:33 UTC 
@mnietoji can you please put to verified if it is done and also give your QA ack.
Comment 24 Miguel Angel Nieto 2021-10-05 22:21:13 UTC 
Verified with puddle RHOS-16.1-RHEL-8-20210916.n.0 ovn2.13-20.12.0-173.el8fdp.x86_64
Comment 25 Red Hat Bugzilla 2023-09-15 01:03:38 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days