yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92745
[Bug 2032929] Re: OVN security group logging burst limit has an unexpected value for stateless security groups
Reviewed: https://review.opendev.org/c/openstack/neutron/+/892648
Committed: https://opendev.org/openstack/neutron/commit/a3a113aedbf40fdb8d90179033773a9d225a0735
Submitter: "Zuul (22348)"
Branch: master
commit a3a113aedbf40fdb8d90179033773a9d225a0735
Author: Elvira García <egarciar@xxxxxxxxxx>
Date: Thu Aug 24 10:31:30 2023 +0200
[OVN] Fix rate and burst for stateless security groups
Right now, as per kernel limitation, the burst limit is not correctly
enforcing the rate and burst when using the ovn "log-related" option and
stateless security groups. We log exactly double the burst. Creating a
new meter that limits the rate and burst to half of the expected ones is
a workaround that solves the issue.
Closes-bug: #2032929
Signed-off-by: Elvira García <egarciar@xxxxxxxxxx>
Change-Id: Ib0047d38c58bcebb23c8887e7934987ff8c8a432
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2032929
Title:
OVN security group logging burst limit has an unexpected value for
stateless security groups
Status in neutron:
Fix Released
Bug description:
If we set the meter band burst limit for a certain number, we expect
to have a a total number of logs almost equal (~10% difference) to the
rate_limit + burst_limit for 1 second timeframe. This is true for
stateful security groups, but not for stateless security groups. The
result of tuning the burst limit should be equal for both stateless
and stateful. Currently, stateless security groups outputs exactly
double of the expected logs.
I have already discussed this with OVN folks and it looks like it is
not on them how stateless and stateful connections work, it's kernel-
wise. Therefore, the most immediate way of fixing this is on Neutron
itself.
* Step-by-step reproduction steps using Devstack:
See current number of log in ovn-controller.log
C1=$(sudo grep acl_log /opt/stack/logs/ovn-controller.log | tail -n1 | cut -d "|" -f 2); echo $C1
Send big amount of ICMP requests from the undercloud node for less than a second:
sudo ping 172.24.4.223 -i 0.002 -c 500 | tail -n4 #stateless
sudo ping 172.24.4.129 -i 0.002 -c 500 | tail -n4 #stateful
o traffic loss should be observed
Check the last log entry ID and so calculate the amount of logs generated from the last time:
C2=$(sudo grep acl_log /opt/stack/logs/ovn-controller.log | tail -n1 | cut -d "|" -f 2); echo $C2
Log amount (C2 - C1) should be almost equal (~10% difference) to the rate_limit + burst_limit.
Result in between 112 and 138, according to default limit values.
* Results on my environment
burst limit: 25 rate limit: 100
RESULTS (C2-C1):
For stateless security groups: 248
For stateful security groups: 124
Expected result: Aproximately 125 for both
More information at:
https://bugzilla.redhat.com/show_bug.cgi?id=2212952
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2032929/+subscriptions