[release-4.18] OCPBUGS-57318,OCPBUGS-58159: DownStream Merge Sync from 4.19 [06-26-2025] #2646
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Surya Seetharaman <[email protected]>
This is the CRD for Network QoS, based on the enhancement ovn-kubernetes/ovn-kubernetes#4366 Signed-off-by: Flavio Fernandes <[email protected]>
Signed-off-by: Flavio Fernandes <[email protected]>
cd go-controller && ./hack/update-codegen.sh Signed-off-by: Flavio Fernandes <[email protected]>
This commit adds a new flag called enable-network-qos, which can be used to feature gate the Network QoS feature. The following flag is exposed in kind scripts as -nqe or --network-qos-enable: kind.sh -nqe kind-helm.sh -nqe Alternatively, it can be enabled via an exported shell variable: OVN_NETWORK_QOS_ENABLE=true kind.sh Signed-off-by: Flavio Fernandes <[email protected]>
This commit adds the preparation bits needed to be used by the network qos controller in the following commit. It also provides sufficient permissions to the systemaccount to list/watch/patch the new CRD accordingly. Signed-off-by: Flavio Fernandes <[email protected]>
This commit implements Network QoS controller, based on the enhancement ovn-kubernetes/ovn-kubernetes#4366 Signed-off-by: Flavio Fernandes <[email protected]> Signed-off-by: Xiaobin Qu <[email protected]>
Signed-off-by: Xiaobin Qu <[email protected]>
e2e skip test: Network QoS feature depends on multi-homing to exercise secondary NAD Signed-off-by: Flavio Fernandes <[email protected]>
misc changes to address review comments. Signed-off-by: Xiaobin Qu <[email protected]> Signed-off-by: Flavio Fernandes <[email protected]>
Signed-off-by: Flavio Fernandes <[email protected]>
use NetworkSelector spec to match net-attach-defs instead of explicitly specify a list of net-attach-defs. Signed-off-by: Xiaobin Qu <[email protected]> Signed-off-by: Flavio Fernandes <[email protected]>
pkg/ovn/controller/network_qos/network_qos_pod.go:9:2: import "k8s.io/api/core/v1" imported as "v1" but must be "corev1" according to config (importas)
v1 "k8s.io/api/core/v1"
^
pkg/ovn/controller/network_qos/network_qos_test.go:547:26: Error return value of addrset.AddAddresses is not checked (errcheck)
addrset.AddAddresses([]string{"10.194.188.4"})
^
pkg/factory/factory_test.go:41: File is not gci-ed with --skip-generated -s standard -s default -s prefix(k8s.io,sigs.k8s.io) -s prefix(github.com/ovn-org) -s localmodule -s dot --custom-order (gci)
"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util"
pkg/factory/factory_test.go:44: File is not gci-ed with --skip-generated -s standard -s default -s prefix(k8s.io,sigs.k8s.io) -s prefix(github.com/ovn-org) -s localmodule -s dot --custom-order (gci)
networkqosfake "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/networkqos/v1/apis/clientset/versioned/fake"
pkg/ovn/controller/network_qos/network_qos_test.go:12: File is not gci-ed with --skip-generated -s standard -s default -s prefix(k8s.io,sigs.k8s.io) -s prefix(github.com/ovn-org) -s localmodule -s dot --custom-order (gci)
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
pkg/factory/factory_test.go:2160:21: unused-parameter: parameter 'old' seems to be unused, consider removing or renaming it as _ (revive)
UpdateFunc: func(old, new interface{}) {
^
pkg/ovn/controller/network_qos/network_qos.go:70:43: unused-parameter: parameter 'nqosKey' seems to be unused, consider removing or renaming it as _ (revive)
return c.nqosCache.DoWithLock(key, func(nqosKey string) error {
^
pkg/ovn/controller/network_qos/network_qos.go:84:43: unused-parameter: parameter 'nqosKey' seems to be unused, consider removing or renaming it as _ (revive)
return c.nqosCache.DoWithLock(key, func(nqosKey string) error {
^
pkg/ovn/controller/network_qos/network_qos.go:91:42: unused-parameter: parameter 'nqosKey' seems to be unused, consider removing or renaming it as _ (revive)
return c.nqosCache.DoWithLock(key, func(nqosKey string) error {
^
pkg/ovn/controller/network_qos/types.go:352:28: unused-parameter: parameter 'value' seems to be unused, consider removing or renaming it as _ (revive)
dest.Pods.Range(func(key, value any) bool {
^
pkg/ovn/controller/network_qos/network_qos_test.go:906:12: unused-parameter: parameter 'nbGlobal' seems to be unused, consider removing or renaming it as _ (revive)
p := func(nbGlobal *nbdb.NBGlobal) bool {
^
pkg/ovn/controller/network_qos/network_qos_controller.go:9:2: import "k8s.io/api/core/v1" imported as "v1" but must be "corev1" according to config (importas)
v1 "k8s.io/api/core/v1"
^
level=info msg="[runner/max_same_issues] 14/17 issues with text "File is not gci-ed with --skip-generated -s standard -s default -s prefix(k8s.io,sigs.k8s.io) -s prefix(github.com/ovn-org) -s localmodule -s dot --custom-order" were hidden, use --max-same-issues"
level=info msg="[runner/max_same_issues] 2/5 issues with text "import \"k8s.io/api/core/v1\" imported as \"v1\" but must be \"corev1\" according to config" were hidden, use --max-same-issues"
level=info msg="[runner] Issues before processing: 154, after processing: 15"
level=info msg="[runner] Processors filtering stat (out/in): invalid_issue: 154/154, path_prettifier: 154/154, max_same_issues: 15/31, severity-rules: 15/15, path_prefixer: 15/15, filename_unadjuster: 154/154, identifier_marker: 104/104, source_code: 15/15, cgo: 154/154, exclude: 104/104, exclude-rules: 34/104, diff: 31/31,
max_from_linter: 15/15, fixer: 15/15, sort_results: 15/15, skip_files: 154/154, autogenerated_exclude: 104/113, nolint: 31/34, uniq_by_line: 31/31, max_per_file_from_linter: 31/31, path_shortener: 15/15, skip_dirs: 113/154"
level=info msg="[runner] processing took 20.696604ms with stages: nolint: 9.359103ms, path_prettifier: 4.425669ms, autogenerated_exclude: 3.521318ms, source_code: 1.252048ms, exclude-rules: 986.811Β΅s, identifier_marker: 704.888Β΅s, skip_dirs: 394.602Β΅s, max_same_issues: 15.034Β΅s, cgo: 9.933Β΅s, invalid_issue: 7.606Β΅s, uniq_by_
line: 6.214Β΅s, path_shortener: 4.436Β΅s, filename_unadjuster: 3.748Β΅s, max_from_linter: 3.014Β΅s, max_per_file_from_linter: 672ns, fixer: 346ns, skip_files: 311ns, diff: 231ns, exclude: 218ns, sort_results: 204ns, severity-rules: 104ns, path_prefixer: 94ns"
level=info msg="[runner] linters took 16.440293927s with stages: goanalysis_metalinter: 16.419554906s"
level=info msg="File cache stats: 8 entries of total size 176.9KiB"
level=info msg="Memory: 431 samples, avg is 1072.1MB, max is 4950.4MB"
level=info msg="Execution took 43.614943666s"
pkg/ovn/controller/network_qos/network_qos_namespace.go:8:2: import "k8s.io/api/core/v1" imported as "v1" but must be "corev1" according to config (importas)
v1 "k8s.io/api/core/v1"
^
pkg/ovn/controller/network_qos/network_qos_node.go:10:2: import "k8s.io/api/core/v1" imported as "v1" but must be "corev1" according to config (importas)
v1 "k8s.io/api/core/v1"
^
pkg/ovn/controller/network_qos/network_qos_ovnnb.go:10:2: import "github.com/ovn-org/libovsdb/ovsdb" imported as "libovsdb" but must be "" according to config (importas)
libovsdb "github.com/ovn-org/libovsdb/ovsdb"
^
pkg/ovn/controller/network_qos/types.go:13:2: import "k8s.io/apimachinery/pkg/api/errors" imported without alias but must be with alias "apierrors" according to config (importas)
"k8s.io/apimachinery/pkg/api/errors"
^
Signed-off-by: Flavio Fernandes <[email protected]>
change `port` in classifier to `ports` which contains a list of protocol&port combinations. Signed-off-by: Xiaobin Qu <[email protected]> Signed-off-by: Flavio Fernandes <[email protected]>
cd go-controller && ./hack/update-codegen.sh Signed-off-by: Flavio Fernandes <[email protected]>
Tests: - host networked pod -> nodeport -> ovnk backend (UDP) - VM (1500 mtu) -> host networked pod on another node (TCP) - ovnk pod -> host networked pod on another node (UDP) Each of these test would trigger a node to install a lower MTU route in its cache towards another node, due to PMTUD. The test fails if it detects such a route. Signed-off-by: Tim Rozet <[email protected]>
Create nftables rules to block sending ICMP needs frag/packet too big for known Kubernetes node IPs. PMTUD between nodes can be deterimental to the cluster. Note, this does not affect PMTUD messages received from an intermediary router. For shared gateway mode, also install openflow rules to drop needs frag packets from OVN GR that are destined to known kubernetes nodes. Signed-off-by: Tim Rozet <[email protected]>
This test works under the premise that sending UDP packets via netcat would trigger ICMP needs frag. For shared gateway mode, packets to a host networked pod endpoint are not fragmented and are rerouted out of GR back to the next host endpoint. However, for OVN networked endpoints and shared gateway mode, the packet will hit the GR and then even if DF bit is not set, OVN GR will send back an ICMP needs frag (because OVS is incapable of fragmentation across different MTU boundary interfaces). For local gateway mode, large packets that hit an intermediary node are DNAT'ed in iptables to the cluster IP service. Then there is a route for cluster IP service set to 1400 byte MTU. This will trigger the kernel to drop the packet when DF bit is set. Since our new logic prevents ICMP needs frag from installing a cached MTU route, the client will continue to send packets with a 1500 byte MTU and they will be dropped. We choose not to fix this for now as it was identified as not a practical use case: https://issues.redhat.com/browse/OCPBUGS-7609 It could be fixed in the future by using an ip rule to match on nodeport port range, and then redirecting traffic to another routing table with a lower MTU on the route. Signed-off-by: Tim Rozet <[email protected]>
This allows ovn_cluster_router to send ICMP needs frag when too large of a packet is sent from a pod (such as from a kubevirt VM with too large an MTU). See https://issues.redhat.com/browse/FDP-1295 for more details. Signed-off-by: Tim Rozet <[email protected]>
OVN-Kubernetes is always lagging behind on the version of OVS it pins.
This is causing a lot of trouble with keeping up with bug fixes and
especially CVE fixes on older branches, resulting in scanners constantly
flagging this image with poor security grades.
OVS package inside the container is responsible for the following:
1. Command line utilities to talk with OVS from the host.
2. ovsdb-server processes serving OVN databases.
3. ovs-monitor-ipsec script for managing ipsec configuration on
OVN tunnels.
These tools/programs are not changing that much between patch releases,
and bug fix releases in FDP are going through a lot of testing before
becoming available in the repo. So, benefits of timely delivery of bug
and CVE fixes significantly outweighs the small risks that automatic
consumption of new builds incurs. Main OVS is working on the host and
follows FDP for a very long time now, and it's also better to keep
the minor versions between host and container in sync, just to decrease
the amount of variables in the system.
Signed-off-by: Ilya Maximets <[email protected]>
Today, we require that VF accelerated gateway interface must be explicitly configured. This change allows VF based accelerated gateway interface without explict configuration. Signed-off-by: Yun Zhou <[email protected]>
- namespace/pod/node handlers detect possible changes and trigger reconciliation by putting networkqos in event queue. - reconcile networkqos rules in networkqos handler only Signed-off-by: Xiaobin Qu <[email protected]> Signed-off-by: Flavio Fernandes <[email protected]>
Signed-off-by: nithyar <[email protected]>
Guard against PMTUD route caching for Kubernetes Node IPs
Signed-off-by: Xiaobin Qu <[email protected]>
- acquire lock on the start in networkqos handler - add missing DeepEqual check in networkqos event handler Signed-off-by: Xiaobin Qu <[email protected]>
Add Support for Network QoS
Signed-off-by: nithyar <[email protected]>
Signed-off-by: nithyar <[email protected]>
Signed-off-by: nithyar <[email protected]>
|
/retitle [release-4.18] OCPBUGS-57318,OCPBUGS-58159: DownStream Merge Sync from 4.19 [06-26-2025] |
openshift-ci
bot
changed the title
|
@jluhrsen: This pull request references Jira Issue OCPBUGS-57318, which is valid. 7 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-58159, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. Retaining the jira/valid-bug label as it was manually added. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@martinkennelly: This pull request references Jira Issue OCPBUGS-57318, which is valid. 7 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-58159, which is invalid:
Comment Retaining the jira/valid-bug label as it was manually added. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jluhrsen : were payloads also green here? are we good to go with this one? |
yes payloads were good. see this comment. we needed one re-run which was fine. see this comment. the multi-pr job did not work at all. no clue why. I only did it hoping to prove this PR was ok and we just needed the origin PRs to land so the aws-ovn-edge-zones would pass, but they ended up landing in the meantime and the re-run of that job did pass. we need |
|
/lgtm |
openshift-ci
bot
added
the
backport-risk-assessed
openshift-ci
bot
assigned
anuragthehatter,
asood-rh,
huiran0826,
jechen0648,
Meina-rh,
mffiedler,
qiowang721,
rbbratta,
weliang1 and
yingwang-0320
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jluhrsen, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-merge-bot
bot
merged commit 5a7022b
into
openshift:release-4.18
42 of 47 checks passed
|
@jluhrsen: Jira Issue OCPBUGS-57318: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-57318 has been moved to the MODIFIED state. Jira Issue OCPBUGS-58159: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-58159 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] Distgit: ovn-kubernetes-base |
|
[ART PR BUILD NOTIFIER] Distgit: ovn-kubernetes-microshift |
|
[ART PR BUILD NOTIFIER] Distgit: ose-ovn-kubernetes |
|
Fix included in accepted release 4.18.0-0.nightly-2025-07-10-031259 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
30 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
π Description
Fixes #
Additional Information for reviewers
β Checks
How to verify it