2224199 – ovn-controller replace CT zone UUID names with LR/LS names

Bug 2224199 - ovn-controller replace CT zone UUID names with LR/LS names

Summary: ovn-controller replace CT zone UUID names with LR/LS names

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn23.09
Sub Component:
Version:	FDP 23.A
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Ales Musil
QA Contact:	Jianlin Shi
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2227121 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-20 07:35 UTC by Surya Seetharaman
Modified:	2023-08-04 14:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ovn23.09-23.09.0-alpha.102.el9fdp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-3039	0	None	None	None	2023-07-20 07:37:42 UTC

Description Surya Seetharaman 2023-07-20 07:35:00 UTC

Description of problem:

OVNK ran into an issue while upgrading from non interconnect to interconnect model. During the upgrade as we move to the new zone, new NB and SB dbs are created which will have new UUIDs compared to the older state but the elements are the same (name is the same). Since the UUIDs are different, controller on start up flushes zone 0 which is used by GR's on all nodes in OVNK for doing SNAT. Thus ovn-controller thinks it also owns zone0. On the host, we use zone 0 by default for conntrack and flushing all entries causes outage for existing traffic. One such scenario is:

client (10.0.128.4) is talking to server (10.0.0.5) via GCP load balancer (10.0.0.2 is the VIP that is dnated to 10.0.0.5 - this has NO ovn lb involvement); the server now moves to remote zone, controller on server flushes zone0 which causes entries to be flushed, now if the server is reinitiating the retransmit first it has no idea of history and now creates an entry with srcIP that of 10.0.0.5 and it doesn't know about the older entry 10.0.0.2 which is supposed to be used as the srcIP and this breaks traffic resulting in drop at the server node's interface and after 20-30 seconds of timeout; the client sends the reset which causes the srcPort to change and new traffic to start flowing and only then things settle down. TL;DR flushing zone0 causes traffic outage for 40-50 seconds which is bad.

correct entry before flush: 
tcp 6 431999 ESTABLISHED src=10.0.128.4 dst=10.0.0.2 sport=46122 dport=6443 src=10.0.0.5 dst=10.0.128.4 sport=6443 dport=36363 [ASSURED] mark=0 secctx=system_u:object_r
:unlabeled_t:s0 use=1

bad entry after flush because 10.0.0.5 initiates the connection first: so it thinks its just directly talking to the other node

tcp 6 431999 ESTABLISHED src=10.0.128.4 dst=10.0.0.5 sport=46122 dport=6443 src=10.0.0.5 dst=10.0.128.4 sport=6443 dport=36363 [ASSURED] mark=0 secctx=system_u:object_r
:unlabeled_t:s0 use=1


See previous bug related bug: https://bugzilla.redhat.com/show_bug.cgi?id=2087194

We need to revisit OVN owning the zone0.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Dumitru Ceara 2023-07-20 08:51:40 UTC

FWIW, I think the title is misleading.  There's nothing blocking the host from using *any* CT zone it wants.

IMO ovn-controller should flush all zones it uses.  There is one special case, when ovn-controller shares a zone with the host.  That's normally when LR.options:snat-ct-zone=<ZONE> is set in the NB.  Only in that case it *might* be acceptable to not flush the zone, if the CMS explicitly requests that.

Comment 4 Dumitru Ceara 2023-07-21 10:52:50 UTC

Summarizing what we discussed offline:

The real underlying problem is that ovn-controller was flushing CT zone 0 during an ovn-kubernetes migration from non-IC to IC deployments.  That's because the SB database was being reconstructed and the datapath associated to the gateway router that had snat-ct-zone=0 set was changing UUID; the ovn-controller mechanism that avoids flushing zones that were already in use by OVN matches on datapath UUIDs and not names so ovn-controller was incorrectly assuming that the logical datapath had changed.

It's not desirable to add more configuration knobs for avoiding CT zone flush (those would have to be per switch/router and would over-complicate the code); instead we can change ovn-controller to try matching both on UUID and on switch/router name when mapping required CT zones to already existing ones.  Once ovn-kubernetes upgrades to a version of OVN that supports both mappings no flush will happen anymore when the SB UUID changes unless the SB datapath name changes too.  That should properly fix any traffic disruption issues caused by conntrack flush when upgrading from non-IC to IC deployments.

Comment 5 OVN Bot 2023-07-28 04:05:22 UTC

ovn23.09 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2227121
ovn23.06 fast-datapath-rhel-8 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2227122
ovn23.06 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2227123

Comment 6 Dan Williams 2023-08-04 13:47:13 UTC

Upstream patch applied: http://patchwork.ozlabs.org/project/ovn/patch/20230726124239.66275-1-amusil@redhat.com/

Comment 7 Mark Michelson 2023-08-04 14:37:05 UTC

*** Bug 2227121 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.