New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1824287: OpenStack: Replace remote_group_id with remote_ip_prefix #3461
Conversation
OpenStack with OVS has an issue where security groups using remote_group_id can be very slow, leading to OVS dropping packets. https://bugzilla.redhat.com/show_bug.cgi?id=1703947 Use remote_ip_prefix instead to workaround the issue.
/test e2e-openstack |
/lgtm |
@mandre: This pull request references Bugzilla bug 1824287, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@mandre: This pull request references Bugzilla bug 1824287, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
going to give it a try! |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Fedosin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Let's make our ci green again! |
/test e2e-aws |
2 similar comments
/test e2e-aws |
/test e2e-aws |
/retest |
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/test e2e-aws |
/retest Please review the full test history for this PR and help us cut down flakes. |
@mandre: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
/bugzilla refresh |
@pierreprinetti: This pull request references Bugzilla bug 1824287, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/label platform/openstack |
@mandre: Some pull requests linked via external trackers have merged: openshift/installer#3461. The following pull requests linked via external trackers have not merged:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.4 |
@pierreprinetti: #3461 failed to apply on top of branch "release-4.4":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Using
remote_group_id
in the security rules is very inefficient, triggering a lot of computation by ovs agent to generate the flows and possibly exceeding the time allocated for flow generation. In such cases, especially in environments already under stress, masters nodes may be unable to communicate with worker nodes, leading the deployment to fail.We're seeing this behavior in MOC, the cloud we're using for our CI.
The workaround is to use the more efficient remote_ip_prefix rather than remote_group_id when creating security rules.
This was already done for openshift-ansible in the past: https://bugzilla.redhat.com/show_bug.cgi?id=1703947