Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44043

Setting ESP offload off for bonds does not work reliably

XMLWordPrintable

    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, enabling ESP hardware offload using IPSec on attached interfaces in Open vSwitch broke connectivity due to a bug in Open vSwitch. With this release, OpenShift automatically disables ESP hardware offload on the Open vSwitch attached interfaces, and the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-44043[*OCPBUGS-44043*])
      ------
      Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default.
      Cause: The cause is a bug in Open vSwitch.
      Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces.
      Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.
      Show
      * Previously, enabling ESP hardware offload using IPSec on attached interfaces in Open vSwitch broke connectivity due to a bug in Open vSwitch. With this release, OpenShift automatically disables ESP hardware offload on the Open vSwitch attached interfaces, and the issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-44043 [* OCPBUGS-44043 *]) ------ Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default. Cause: The cause is a bug in Open vSwitch. Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces. Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-43917. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42987. The following is the description of the original issue:

      It is been observed that the esp_offload kernel module might be loaded by libreswan even if bond ESP offloads have been correctly turned off.

      This might be because ipsec service and configure-ovs run at the same time, so it is possible that ipsec service starts when bond offloads are not yet turned off and trick libreswan into thinking they should be used.

      The potential fix would be to run ipsec service after configure-ovs.

              jcaamano@redhat.com Jaime CaamaƱo Ruiz
              openshift-crt-jira-prow OpenShift Prow Bot
              Ross Brattain Ross Brattain
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: