perf: do not send traffic to ct if not designate to svc

kubeovn · Dec 14, 2021 · b1f8332 · b1f8332
1 parent db9d8b8
commit b1f8332
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
@@ -25,6 +25,7 @@ RUN cd /usr/src/ && git clone -b branch-21.06 --depth=1 https://github.com/ovn-o
     cd ovn && \
     curl -s https://github.com/kubeovn/ovn/commit/e24734913d25c0bffdf1cfd79e14ef43d01e1019.patch | git apply && \
     curl -s https://github.com/kubeovn/ovn/commit/8f4e4868377afb5e980856755b9f6394f8b649e2.patch | git apply && \
+    curl -s https://github.com/kubeovn/ovn/commit/02b09d8f6541f063cb5ecc4a075672df80ba68fd.patch | git apply && \
     sed -i 's/OVN/ovn/g' debian/changelog && \
     rm -rf .git && \
     ./boot.sh && \

diff --git a/docs/performance-tuning.md b/docs/performance-tuning.md
@@ -132,6 +132,16 @@ args:
 
 This can reduce about 30% of the cpu time and latency in 1byte packet test.
 
+*Note*: In underlay mode, kube-proxy can not capture underlay traffic, if disable lb, svc can not be visited.
+
+*Need Kube-OVN >= 1.9.0*.
+If you are using underlay mode network and need kube-ovn to implement the svc function, you can set the svc cidr in ovn-nb
+to bypass the conntrack system for traffic that not designate to svc.
+
+```bash
+kubectl ko nbctl set nb_global . options:svc_ipv4_cidr=10.244.0.0/16
+```
+
 ### Kernel FastPath module
 
 With Profile, the netfilter hooks inside container netns and between tunnel endpoints contribute about 25% of the CPU time