-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Path MTU discovery #77
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/144453285 The labels on this github issue will be updated when the story is started. |
I can no longer see the referenced story, but from 34d1c48 it looks like the original intention of this test was highlight problems delivering large responses from CF applications caused by MTU misconfiguration. We recently experienced a problem like this which has been described in cloudfoundry/guardian#77. This test passed because the response size of 5kB was smaller than the MTU size of 9kB on some AWS instance types: - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#jumbo_frame_instances Increasing this to a larger value will make the test more effective. I've chosen a value of 200kB because it's larger than standard MTUs and indicative of the response from an average website.
I can no longer see the referenced story, but from 34d1c48 it looks like the original intention of this test was highlight problems delivering large responses from CF applications caused by MTU misconfiguration. We recently experienced a problem like this which has been described in cloudfoundry/guardian#77. This test passed because the response size of 5kB was smaller than the MTU size of 9kB on some AWS instance types: - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#jumbo_frame_instances Increasing this to a larger value will make the test more effective. I've chosen a value of 200kB because it's larger than standard MTUs and indicative of the response from an average website.
Hi @dcarley - apologies for this, we were convinced defaulting the MTU was "the right thing to do" because if it's higher than the external interface MTU that could never be correct (and this caused issues on some clouds where the default MTU is smaller than 1500 so our out-of-the-box config didn't work). I think what we missed is that defaulting in the way we did could also raise the container MTU, which might conflict with overlay or IPSec workflows. It sounds like you have a decent workaround for this for now.. going forward if we were to change the defaulting behaviour so it picked the lowest of the external interface MTU or 1500 do you think that would work for you? |
I am having the same problem and we are currently testing the workaround. Providing feedback as soon as I have results. @julz What you are proposing would work for us. +1 |
thanks all, I've pulled in a story to default to |
The garden-runc-release v1.8.0[1] fixes the issue of the MTU defaulting to that of the host's interface[2]. It now will default to the host's interface MTU, or 1500, whichever is smaller. [1] https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.8.0 [2] cloudfoundry/guardian#77
The garden-runc-release v1.8.0[1] fixes the issue of the MTU defaulting to that of the host's interface[2]. It now will default to the host's interface MTU, or 1500, whichever is smaller. [1] https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.8.0 [2] cloudfoundry/guardian#77
The garden-runc-release v1.8.0[1] fixes the issue of the MTU defaulting to that of the host's interface[2]. It now will default to the host's interface MTU, or 1500, whichever is smaller. [1] https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.8.0 [2] cloudfoundry/guardian#77
The garden-runc-release v1.8.0[1] fixes the issue of the MTU defaulting to that of the host's interface[2]. It now will default to the host's interface MTU, or 1500, whichever is smaller. [1] https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.8.0 [2] cloudfoundry/guardian#77
The garden-runc-release v1.8.0[1] fixes the issue of the MTU defaulting to that of the host's interface[2]. It now will default to the host's interface MTU, or 1500, whichever is smaller. [1] https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.8.0 [2] cloudfoundry/guardian#77
The garden-runc-release v1.8.0[1] fixes the issue of the MTU defaulting to that of the host's interface[2]. It now will default to the host's interface MTU, or 1500, whichever is smaller. [1] https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.8.0 [2] cloudfoundry/guardian#77
Todos
Please try the following before submitting the issue:
Description
We run Cloud Foundry and use SAP/ipsec-release to secure unencrypted traffic between routers and cells. After upgrading to garden-runc-release 1.4.0 we experienced an outage whereby requests to applications that generated HTTP responses larger than approximately 9k would hang after returning the response headers.
We eventually narrowed it down to the change in container MTUs from garden-runc-release 1.3.0 (af8d612 and cloudfoundry/garden-runc-release@a9b22fd). We deploy to AWS where some instances types get a host interface MTU of 9001, so with that release our containers MTUs changed from 1500 to 9001. This meant that they generated response packets that were too large after IPsec transport headers had been added.
Now, we understand that we're deviating a bit from the norm by running IPsec, and that it's not Guardian's responsibility to know about it. We can also workaround it by setting
garden.network_mtu = 1500
but it feels fragile because we have to hardcode the value irrespective of what the host's actual MTU is.However it feels like this should Just Work with path MTU discovery. I'm not clear why it doesn't - perhaps you can shed any light? There was a similar discussion in #51 previously.
Logging and/or test output
tcpdump
on a cell shows ICMP unreachable packets being generated from the cell to itself. I'm unsure if anything is acting upon these though:Steps to reproduce
curl <dora_url>/largetext/20
Please also provide the following information if applicable:
bosh-aws-xen-hvm-ubuntu-trusty-go_agent
)The text was updated successfully, but these errors were encountered: