Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2122016

Summary: [Octavia] Spam of "nf_conntrack: table full, dropping packet" messages during performance tests
Product: Red Hat OpenStack Reporter: Alex Stupnikov <astupnik>
Component: openstack-octaviaAssignee: Gregory Thiemonge <gthiemon>
Status: CLOSED NEXTRELEASE QA Contact: Bruna Bonguardo <bbonguar>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: cmuresan, gthiemon, ihrachys, jraju, jvisser, lpeer, majopela, njohnston, rcernin, scohen
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2123225 (view as bug list) Environment:
Last Closed: 2022-09-07 13:30:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2123225, 2123226, 2125612    

Description Alex Stupnikov 2022-08-28 13:54:27 UTC 
Description of problem:

One of our customers is running performance tests for his Web portal built on top of Shift on Stack environment. One of the problems we have found which has perfect correlation with client errors is spam of "nf_conntrack: table full, dropping packet" messages in amphora's console.

From the tests we can see that Octavia starts spamming this errors when "/proc/sys/net/netfilter/nf_conntrack_count" shows around 32000.

I have found two related bugs fixed in newer versions:

Bug/fix 1:
nf_conntrack: table full, dropping packet
https://bugzilla.redhat.com/show_bug.cgi?id=1869771      (fixed in RHOSP 16.2)
https://review.opendev.org/c/openstack/octavia/+/748749/ (fix)

Bug/fix 2:
https://storyboard.openstack.org/#!/story/2008979        (is not backported to RHOSP 16)
https://review.opendev.org/c/openstack/octavia/+/796608


It doesn't look like these fixes will be released for RHOSP 13, so I am wondering if there is some supported way to apply some workaround for this problem and prevent DoS situation for Amphora?

Version-Release number of selected component (if applicable):
Red Hat OpenStack Platform release 13.0.13 (Queens)