From 45189c6145c9d94c267cb0dd31586cfa73f5ba0a Mon Sep 17 00:00:00 2001 From: clyi Date: Tue, 7 Apr 2026 11:10:52 +0800 Subject: [PATCH 1/4] =?UTF-8?q?docs:=20=E6=B7=BB=E5=8A=A0=20OVN=20Underlay?= =?UTF-8?q?=20=E9=A6=96=E5=8C=85=E5=BB=B6=E8=BF=9F=E4=BC=98=E5=8C=96?= =?UTF-8?q?=E6=96=87=E6=A1=A3=EF=BC=88S2=20=E8=B7=B3=E8=BF=87=20Conntrack?= =?UTF-8?q?=20=E6=96=B9=E6=A1=88=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...irst_Packet_Latency_with_Skip_Conntrack.md | 54 +++++++++++++++++++ ...irst_Packet_Latency_with_Skip_Conntrack.md | 52 ++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md create mode 100644 docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md diff --git a/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md new file mode 100644 index 0000000..3361e10 --- /dev/null +++ b/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -0,0 +1,54 @@ +--- +id: KB202604070001 +products: + - Alauda Container Platform +kind: + - Solution +sourceSHA: pending +--- + +# Optimize OVN Underlay First Packet Latency with Skip Conntrack (S2 Solution) + +This document describes how to configure the `skip-conntrack-dst-cidrs` parameter in Kube-OVN to skip conntrack processing for specified destination IP CIDRs, reducing first packet latency in OVN underlay networks. + +## Overview + +In OVN underlay network mode, all cross-subnet traffic goes through conntrack (connection tracking) processing by default, which increases first packet latency. For latency-sensitive scenarios, the `skip-conntrack-dst-cidrs` feature can be used to bypass conntrack processing and reduce first packet latency. + +The `skip-conntrack-dst-cidrs` feature allows administrators to specify destination IP CIDRs that should bypass conntrack processing entirely. It works by inserting priority 105 flows in the OVN `ls_in_pre_lb` logical flow table, which take precedence over the default priority 100 conntrack flow. + +## Prerequisites + +| Item | Requirement | +|------|------| +| ACP Version | 4.3+ | +| Network Mode | OVN Underlay | +| Kube-OVN Version | v1.15+ (with skip-conntrack-dst-cidrs support) | + +## Configuration Steps + +> **Warning**: Once conntrack is skipped for a destination CIDR, the following OVN features will **no longer take effect** for traffic to that CIDR: +> - **NetworkPolicy** — OVN ACL rules that depend on conntrack state will not match +> - **Service Load Balancing** — OVN LB rules for ClusterIP/NodePort services will be bypassed +> +> Ensure that the target CIDRs are **directly accessed Pod-to-Pod traffic** that does not rely on NetworkPolicy or Service routing. + +### Step 1: Configure Kube-OVN Controller + +Add the `--skip-conntrack-dst-cidrs` startup parameter to the kube-ovn-controller Deployment: + +```bash +kubectl edit deploy kube-ovn-controller -n kube-system +``` + +Find the container args section and add the parameter: + +```yaml +containers: + - name: kube-ovn-controller + args: + # ... existing args ... + - --skip-conntrack-dst-cidrs=10.0.0.0/24,192.168.1.0/24 # Replace with actual target CIDRs +``` + +After saving, the configuration takes effect automatically. To remove, delete the `--skip-conntrack-dst-cidrs` line and save. diff --git a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md new file mode 100644 index 0000000..d4262ca --- /dev/null +++ b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -0,0 +1,52 @@ +--- +id: KB202604070001 +products: + - Alauda Container Platform +kind: + - Solution +sourceSHA: pending +--- + +# OVN Underlay 网络首包延迟优化 - 跳过 Conntrack 方案(S2 方案) + +本文档介绍如何在 Kube-OVN 中配置 `skip-conntrack-dst-cidrs` 参数,使指定目标 IP CIDR 的流量跳过 conntrack 处理,从而降低 OVN Underlay 网络的首包延迟和 conntrack 表压力。 + +## 概述 + +在 OVN Underlay 网络模式下,所有跨子网流量默认都会经过 conntrack(连接跟踪)处理,这会导致首包延迟增加。对于对延迟敏感的场景,可通过 `skip-conntrack-dst-cidrs` 功能跳过 conntrack 处理来降低首包延迟。 + +`skip-conntrack-dst-cidrs` 功能允许管理员指定需要跳过 conntrack 处理的目标 IP CIDR。它在 OVN `ls_in_pre_lb` 逻辑流表中插入优先级为 105 的流表项,优先级高于默认的优先级 100 的 conntrack 流表。 + +## 先决条件 + +| 项目 | 要求 | +|------|------| +| ACP 版本 | 4.3+ | +| 网络模式 | OVN Underlay | +| Kube-OVN 版本 | v1.15+(支持 skip-conntrack-dst-cidrs) | + +## 配置步骤 + +> **警告**:一旦对某个目标 CIDR 跳过 conntrack,以下 OVN 功能对该 CIDR 的流量将**不再生效**: +> - **NetworkPolicy** — 依赖 conntrack 状态的 OVN ACL 规则将无法匹配 +> - **Service 负载均衡** — ClusterIP/NodePort 服务的 OVN LB 规则将被绕过 +> +> 请确保目标 CIDR 是**直接 Pod 到 Pod 的通信**,不依赖 NetworkPolicy 或 Service 路由。 + +### Step 1: 配置 Kube-OVN Controller + +在 kube-ovn-controller 的 Deployment 中添加 `--skip-conntrack-dst-cidrs` 启动参数: + +```bash +kubectl edit deploy kube-ovn-controller -n kube-system +``` + +找到容器启动参数部分,添加该参数: + +```yaml + args: + # ... 已有参数 ... + - --skip-conntrack-dst-cidrs=10.0.0.0/24,192.168.1.0/24 # 替换为实际的目标 CIDR +``` + +保存后自动生效。如需删除配置,删除该行并保存即可。 From 4d10ac10245cfac2a73ad810d3883ba095217e05 Mon Sep 17 00:00:00 2001 From: clyi Date: Tue, 7 Apr 2026 11:24:21 +0800 Subject: [PATCH 2/4] =?UTF-8?q?docs:=20=E4=BF=AE=E5=A4=8D=20review=20?= =?UTF-8?q?=E5=8F=8D=E9=A6=88=20-=20=E4=B8=AD=E8=8B=B1=E6=96=87=E4=B8=80?= =?UTF-8?q?=E8=87=B4=E6=80=A7=E5=92=8C=20YAML=20=E4=B8=8A=E4=B8=8B?= =?UTF-8?q?=E6=96=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 删除中文版残留的 conntrack 表压力描述 - 补全 YAML 片段中 containers/name 定位信息 --- ...e_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md index d4262ca..98709c4 100644 --- a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md +++ b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -9,7 +9,7 @@ sourceSHA: pending # OVN Underlay 网络首包延迟优化 - 跳过 Conntrack 方案(S2 方案) -本文档介绍如何在 Kube-OVN 中配置 `skip-conntrack-dst-cidrs` 参数,使指定目标 IP CIDR 的流量跳过 conntrack 处理,从而降低 OVN Underlay 网络的首包延迟和 conntrack 表压力。 +本文档介绍如何在 Kube-OVN 中配置 `skip-conntrack-dst-cidrs` 参数,使指定目标 IP CIDR 的流量跳过 conntrack 处理,从而降低 OVN Underlay 网络的首包延迟。 ## 概述 @@ -44,6 +44,8 @@ kubectl edit deploy kube-ovn-controller -n kube-system 找到容器启动参数部分,添加该参数: ```yaml +containers: + - name: kube-ovn-controller args: # ... 已有参数 ... - --skip-conntrack-dst-cidrs=10.0.0.0/24,192.168.1.0/24 # 替换为实际的目标 CIDR From de77bb00fec41b777324baee886108ebe77620df Mon Sep 17 00:00:00 2001 From: clyi Date: Tue, 7 Apr 2026 14:45:13 +0800 Subject: [PATCH 3/4] =?UTF-8?q?docs:=20=E7=94=A8=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=A7=86=E8=A7=92=E6=8F=8F=E8=BF=B0=20skip=20conntrack=20?= =?UTF-8?q?=E8=AD=A6=E5=91=8A=E4=BF=A1=E6=81=AF=E5=B9=B6=E4=BF=AE=E5=A4=8D?= =?UTF-8?q?=E4=B8=AD=E6=96=87=E6=9C=AF=E8=AF=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md | 4 ++-- ...OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md index 3361e10..84e5659 100644 --- a/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md +++ b/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -28,8 +28,8 @@ The `skip-conntrack-dst-cidrs` feature allows administrators to specify destinat ## Configuration Steps > **Warning**: Once conntrack is skipped for a destination CIDR, the following OVN features will **no longer take effect** for traffic to that CIDR: -> - **NetworkPolicy** — OVN ACL rules that depend on conntrack state will not match -> - **Service Load Balancing** — OVN LB rules for ClusterIP/NodePort services will be bypassed +> - **NetworkPolicy** — NetworkPolicy rules will not be able to control Pod traffic for the CIDR +> - **Service Access** — Services within the CIDR cannot be accessed via ClusterIP, NodePort, or LoadBalancer > > Ensure that the target CIDRs are **directly accessed Pod-to-Pod traffic** that does not rely on NetworkPolicy or Service routing. diff --git a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md index 98709c4..201da63 100644 --- a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md +++ b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -28,12 +28,12 @@ sourceSHA: pending ## 配置步骤 > **警告**:一旦对某个目标 CIDR 跳过 conntrack,以下 OVN 功能对该 CIDR 的流量将**不再生效**: -> - **NetworkPolicy** — 依赖 conntrack 状态的 OVN ACL 规则将无法匹配 -> - **Service 负载均衡** — ClusterIP/NodePort 服务的 OVN LB 规则将被绕过 +> - **NetworkPolicy** — 即使配置了 NetworkPolicy,也无法控制该 CIDR 的 Pod 流量 +> - **Service 访问** — 无法通过 ClusterIP、NodePort 或 LoadBalancer 访问该 CIDR 内的 Service > > 请确保目标 CIDR 是**直接 Pod 到 Pod 的通信**,不依赖 NetworkPolicy 或 Service 路由。 -### Step 1: 配置 Kube-OVN Controller +### 步骤 1: 配置 Kube-OVN Controller 在 kube-ovn-controller 的 Deployment 中添加 `--skip-conntrack-dst-cidrs` 启动参数: From df93e860a52340ea77136514701393beb466b76d Mon Sep 17 00:00:00 2001 From: clyi Date: Tue, 7 Apr 2026 14:49:08 +0800 Subject: [PATCH 4/4] =?UTF-8?q?docs:=20=E4=BF=AE=E6=AD=A3=20Service=20?= =?UTF-8?q?=E8=AD=A6=E5=91=8A=E6=8F=8F=E8=BF=B0=20-=20=E5=87=86=E7=A1=AE?= =?UTF-8?q?=E6=8C=87=E5=90=91=E5=90=8E=E7=AB=AF=20Pod=20CIDR?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md | 2 +- ...ize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md index 84e5659..46b95b8 100644 --- a/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md +++ b/docs/en/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -29,7 +29,7 @@ The `skip-conntrack-dst-cidrs` feature allows administrators to specify destinat > **Warning**: Once conntrack is skipped for a destination CIDR, the following OVN features will **no longer take effect** for traffic to that CIDR: > - **NetworkPolicy** — NetworkPolicy rules will not be able to control Pod traffic for the CIDR -> - **Service Access** — Services within the CIDR cannot be accessed via ClusterIP, NodePort, or LoadBalancer +> - **Service Access** — When the backend Pods of a Service are in the CIDR, the Service cannot be accessed via ClusterIP, NodePort, or LoadBalancer > > Ensure that the target CIDRs are **directly accessed Pod-to-Pod traffic** that does not rely on NetworkPolicy or Service routing. diff --git a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md index 201da63..6484999 100644 --- a/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md +++ b/docs/zh/solutions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md @@ -29,7 +29,7 @@ sourceSHA: pending > **警告**:一旦对某个目标 CIDR 跳过 conntrack,以下 OVN 功能对该 CIDR 的流量将**不再生效**: > - **NetworkPolicy** — 即使配置了 NetworkPolicy,也无法控制该 CIDR 的 Pod 流量 -> - **Service 访问** — 无法通过 ClusterIP、NodePort 或 LoadBalancer 访问该 CIDR 内的 Service +> - **Service 访问** — 当 Service 的后端 Pod 位于该 CIDR 时,无法通过 ClusterIP、NodePort 或 LoadBalancer 访问该 Service > > 请确保目标 CIDR 是**直接 Pod 到 Pod 的通信**,不依赖 NetworkPolicy 或 Service 路由。