Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44240

Setting ESP offload off for bonds does not work reliably

XMLWordPrintable

    • None
    • SDN Sprint 262
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default.
      Cause: The cause is a bug in Open vSwitch.
      Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces.
      Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.
      Show
      Problem: Enabling ESP hardware offload when using IPSec on Open vSwitch attached interfaces breaks connectivity. OpenShift OVN-Kubernetes makes use of Open vSwitch attached interfaces. Additionally, Bonds have ESP hardware offload enabled by default. Cause: The cause is a bug in Open vSwitch. Fix: OpenShift will automatically disable ESP hardware offload on Open vSwitch attached interfaces. Effect: ESP hardware offload is disabled in Open vSwitch attached interfaces. As long as ESP hardware offload is not enabled in any interface, IPSec through Open vSwitch attached interfaces will not experience connectivity issues due to this problem.
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-44043. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-43917. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42987. The following is the description of the original issue:

      It is been observed that the esp_offload kernel module might be loaded by libreswan even if bond ESP offloads have been correctly turned off.

      This might be because ipsec service and configure-ovs run at the same time, so it is possible that ipsec service starts when bond offloads are not yet turned off and trick libreswan into thinking they should be used.

      The potential fix would be to run ipsec service after configure-ovs.

            jcaamano@redhat.com Jaime CaamaƱo Ruiz
            openshift-crt-jira-prow OpenShift Prow Bot
            Zhanqi Zhao Zhanqi Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: