Bug 2086688 - [TestOnly] OVS TC Flower offload with Conntrack (GA)
Summary: [TestOnly] OVS TC Flower offload with Conntrack (GA)
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openvswitch
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ga
: 17.1
Assignee: Haresh Khandelwal
QA Contact: Miguel Angel Nieto
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-16 13:08 UTC by Haresh Khandelwal
Modified: 2023-08-13 21:01 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
RHOSP 17.1 GA supports the offloading of OpenFlow flows to hardware with the connection tracking (conntrack) module. For more information, see link:{defaultURL}/configuring_network_functions_virtualization/part-sriov-nfv-configuration#components_of_ovs_hardware_offload[Components of OVS hardware offload] in the _Configuring network functions virtualization_ guide.
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker NFV-2509 0 None None None 2022-05-16 13:27:23 UTC
Red Hat Issue Tracker OSP-15245 0 None None None 2022-05-16 13:27:25 UTC

Description Haresh Khandelwal 2022-05-16 13:08:07 UTC 
Description of problem:

About Feature:
Today Telco customers are asked to turn off security groups on datapath interfaces  like OVS-DPDK because connection tracking reduces performance by 50%. API and control plane connections that need security groups use different interfaces.

OVS Connection tracking for the Mobile usecase presentation at OVS conference Nov 2017: 
https://docs.google.com/presentation/d/1yn4mHBsk-_nW8nmTlrKLIkPu304MJK269oekjCU-OAM/edit#slide=id.gb6f3e2d2d_2_213

Most NFV/Telco applications are not stateful and don't need conntrack but OpenStack implements security groups as conntrack and turning off security groups implies there is no access control or network policy enforcement for NFV usecases.

If conntrack flow can be offloaded to the SmartNIC with OVS TC flower offload this implies security groups can be enabled on datapath interfaces. Need to measure connection rate and bandwidth with connection tracking offload.

Additionally, openstack implements NAT using CT. Having offloaded NAT to HW, provides North-South traffic can be terminated at compute node itself.

Connection tracking offload TPed in 16.2.3 (Bz#1846101). This Bz should graduate this feature to GA.

RHEL supports CT offload from RHEL9.0 onward. OSP17 & on wards should be the ideal OSP release to GA this feature.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Reference links:
https://issues.redhat.com/browse/RHELBU-616
https://issues.redhat.com/browse/RHELPLAN-76507
Comment 7 Miguel Angel Nieto 2023-03-30 07:50:49 UTC 
I have verified the feature sucessfully
https://polarion.engineering.redhat.com/polarion/#/project/RHELOpenStackPlatform/testruns?query=20230317-1557

I only had issues with transparent vlan related with conntrack
https://bugzilla.redhat.com/show_bug.cgi?id=2176775

And these other bzs related mellanox
https://bugzilla.redhat.com/show_bug.cgi?id=2175802
https://bugzilla.redhat.com/show_bug.cgi?id=2172181

It has not been able to run performance in 17.1 due to other bzs:
https://bugzilla.redhat.com/show_bug.cgi?id=2179366
https://bugzilla.redhat.com/show_bug.cgi?id=2182371
Note You need to log in before you can comment on or make changes to this bug.