Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16, 4.17, 4.18
Component/s: Networking / On-Prem Host Networking
Labels:
None

Regression:
None
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default.
Cause: The cause is a bug in Open vSwitch.
Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces.
Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.

Show
Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default. Cause: The cause is a bug in Open vSwitch. Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces. Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
RH Private Keywords:
Target Version:

4.18.0
Target Backport Versions:

4.16

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Review Complete:

It is been observed that the esp_offload kernel module might be loaded by libreswan even if bond ESP offloads have been correctly turned off.

This might be because ipsec service and configure-ovs run at the same time, so it is possible that ipsec service starts when bond offloads are not yet turned off and trick libreswan into thinking they should be used.

The potential fix would be to run ipsec service after configure-ovs.

blocks

OCPBUGS-43917 Setting ESP offload off for bonds does not work reliably

Closed

is cloned by

OCPBUGS-43917 Setting ESP offload off for bonds does not work reliably

Closed

links to

openshift/machine-config-operator#4633: OCPBUGS-42987: Disable ESP offload for OVS attached interfaces

Assignee:: Jaime Caamaño Ruiz

Reporter:: Jaime Caamaño Ruiz

QA Contact:: Ross Brattain

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/10/09 4:05 PM

Updated:: 2024/11/08 9:37 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates