Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.16.z
Affects Version/s: 4.16, 4.17, 4.18
Component/s: Networking / On-Prem Host Networking
Labels:
None

Regression:
None
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default.
Cause: The cause is a bug in Open vSwitch.
Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces.
Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.

Show
Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default. Cause: The cause is a bug in Open vSwitch. Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces. Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
RH Private Keywords:
Target Version:

4.16.z
Target Backport Versions:

4.16

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue OCPBUGS-43917. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-42987. The following is the description of the original issue:
—
It is been observed that the esp_offload kernel module might be loaded by libreswan even if bond ESP offloads have been correctly turned off.

This might be because ipsec service and configure-ovs run at the same time, so it is possible that ipsec service starts when bond offloads are not yet turned off and trick libreswan into thinking they should be used.

The potential fix would be to run ipsec service after configure-ovs.

blocks

OCPBUGS-44240 Setting ESP offload off for bonds does not work reliably

ASSIGNED

clones

OCPBUGS-43917 Setting ESP offload off for bonds does not work reliably

Verified

is blocked by

OCPBUGS-43917 Setting ESP offload off for bonds does not work reliably

Verified

is cloned by

OCPBUGS-44240 Setting ESP offload off for bonds does not work reliably

ASSIGNED

links to

openshift/machine-config-operator#4676: [release-4.16] OCPBUGS-44043: Disable ESP offload for OVS attached interfaces

Assignee:: Jaime Caamaño Ruiz

Reporter:: OpenShift Prow Bot

QA Contact:: Ross Brattain

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/10/31 11:12 AM

Updated:: 2024/11/06 4:47 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates