← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2032929] Re: OVN security group logging burst limit has an unexpected value for stateless security groups

 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/892648
Committed: https://opendev.org/openstack/neutron/commit/a3a113aedbf40fdb8d90179033773a9d225a0735
Submitter: "Zuul (22348)"
Branch:    master

commit a3a113aedbf40fdb8d90179033773a9d225a0735
Author: Elvira García <egarciar@xxxxxxxxxx>
Date:   Thu Aug 24 10:31:30 2023 +0200

    [OVN] Fix rate and burst for stateless security groups
    
    Right now, as per kernel limitation, the burst limit is not correctly
    enforcing the rate and burst when using the ovn "log-related" option and
    stateless security groups. We log exactly double the burst. Creating a
    new meter that limits the rate and burst to half of the expected ones is
    a workaround that solves the issue.
    
    Closes-bug: #2032929
    
    Signed-off-by: Elvira García <egarciar@xxxxxxxxxx>
    Change-Id: Ib0047d38c58bcebb23c8887e7934987ff8c8a432


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2032929

Title:
  OVN security group logging burst limit has an unexpected value for
  stateless security groups

Status in neutron:
  Fix Released

Bug description:
  If we set the meter band burst limit for a certain number, we expect
  to have a a total number of logs almost equal (~10% difference) to the
  rate_limit + burst_limit for 1 second timeframe. This is true for
  stateful security groups, but not for stateless security groups. The
  result of tuning the burst limit should be equal for both stateless
  and stateful. Currently, stateless security groups outputs exactly
  double of the expected logs.

  I have already discussed this with OVN folks and it looks like it is
  not on them how stateless and stateful connections work, it's kernel-
  wise. Therefore, the most immediate way of fixing this is on Neutron
  itself.

  * Step-by-step reproduction steps using Devstack:

  See current number of log in ovn-controller.log
  C1=$(sudo grep acl_log /opt/stack/logs/ovn-controller.log | tail -n1 | cut -d "|" -f 2); echo $C1

  Send big amount of ICMP requests from the undercloud node for less than a second:
  sudo ping 172.24.4.223 -i 0.002 -c 500 | tail -n4 #stateless

  sudo ping 172.24.4.129 -i 0.002 -c 500 | tail -n4 #stateful
  o traffic loss should be observed
  Check the last log entry ID and so calculate the amount of logs generated from the last time:
  C2=$(sudo grep acl_log /opt/stack/logs/ovn-controller.log | tail -n1 | cut -d "|" -f 2); echo $C2
  Log amount (C2 - C1) should be almost equal (~10% difference) to the rate_limit + burst_limit.
  Result in between 112 and 138, according to default limit values.

  * Results on my environment
  burst limit: 25 rate limit: 100

  RESULTS (C2-C1):

  For stateless security groups: 248
  For stateful security groups: 124

  Expected result: Aproximately 125 for both

  More information at:
  https://bugzilla.redhat.com/show_bug.cgi?id=2212952

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2032929/+subscriptions