Reviewed: https://review.opendev.org/c/openstack/neutron/+/892648 Committed: https://opendev.org/openstack/neutron/commit/a3a113aedbf40fdb8d90179033773a9d225a0735 Submitter: "Zuul (22348)" Branch: master
commit a3a113aedbf40fdb8d90179033773a9d225a0735 Author: Elvira García <[email protected]> Date: Thu Aug 24 10:31:30 2023 +0200 [OVN] Fix rate and burst for stateless security groups Right now, as per kernel limitation, the burst limit is not correctly enforcing the rate and burst when using the ovn "log-related" option and stateless security groups. We log exactly double the burst. Creating a new meter that limits the rate and burst to half of the expected ones is a workaround that solves the issue. Closes-bug: #2032929 Signed-off-by: Elvira García <[email protected]> Change-Id: Ib0047d38c58bcebb23c8887e7934987ff8c8a432 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2032929 Title: OVN security group logging burst limit has an unexpected value for stateless security groups Status in neutron: Fix Released Bug description: If we set the meter band burst limit for a certain number, we expect to have a a total number of logs almost equal (~10% difference) to the rate_limit + burst_limit for 1 second timeframe. This is true for stateful security groups, but not for stateless security groups. The result of tuning the burst limit should be equal for both stateless and stateful. Currently, stateless security groups outputs exactly double of the expected logs. I have already discussed this with OVN folks and it looks like it is not on them how stateless and stateful connections work, it's kernel- wise. Therefore, the most immediate way of fixing this is on Neutron itself. * Step-by-step reproduction steps using Devstack: See current number of log in ovn-controller.log C1=$(sudo grep acl_log /opt/stack/logs/ovn-controller.log | tail -n1 | cut -d "|" -f 2); echo $C1 Send big amount of ICMP requests from the undercloud node for less than a second: sudo ping 172.24.4.223 -i 0.002 -c 500 | tail -n4 #stateless sudo ping 172.24.4.129 -i 0.002 -c 500 | tail -n4 #stateful o traffic loss should be observed Check the last log entry ID and so calculate the amount of logs generated from the last time: C2=$(sudo grep acl_log /opt/stack/logs/ovn-controller.log | tail -n1 | cut -d "|" -f 2); echo $C2 Log amount (C2 - C1) should be almost equal (~10% difference) to the rate_limit + burst_limit. Result in between 112 and 138, according to default limit values. * Results on my environment burst limit: 25 rate limit: 100 RESULTS (C2-C1): For stateless security groups: 248 For stateful security groups: 124 Expected result: Aproximately 125 for both More information at: https://bugzilla.redhat.com/show_bug.cgi?id=2212952 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2032929/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
