-
Notifications
You must be signed in to change notification settings - Fork 15
docs: 添加 OVN Underlay 首包延迟优化文档(S2 跳过 Conntrack 方案) #134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
changluyi
wants to merge
4
commits into
alauda:main
Choose a base branch
from
changluyi:docs/skip-conntrack-ovn-underlay
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+108
−0
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
54 changes: 54 additions & 0 deletions
54
...utions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| id: KB202604070001 | ||
| products: | ||
| - Alauda Container Platform | ||
| kind: | ||
| - Solution | ||
| sourceSHA: pending | ||
| --- | ||
|
|
||
| # Optimize OVN Underlay First Packet Latency with Skip Conntrack (S2 Solution) | ||
|
|
||
| This document describes how to configure the `skip-conntrack-dst-cidrs` parameter in Kube-OVN to skip conntrack processing for specified destination IP CIDRs, reducing first packet latency in OVN underlay networks. | ||
|
|
||
| ## Overview | ||
|
|
||
| In OVN underlay network mode, all cross-subnet traffic goes through conntrack (connection tracking) processing by default, which increases first packet latency. For latency-sensitive scenarios, the `skip-conntrack-dst-cidrs` feature can be used to bypass conntrack processing and reduce first packet latency. | ||
|
|
||
| The `skip-conntrack-dst-cidrs` feature allows administrators to specify destination IP CIDRs that should bypass conntrack processing entirely. It works by inserting priority 105 flows in the OVN `ls_in_pre_lb` logical flow table, which take precedence over the default priority 100 conntrack flow. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| | Item | Requirement | | ||
| |------|------| | ||
| | ACP Version | 4.3+ | | ||
| | Network Mode | OVN Underlay | | ||
| | Kube-OVN Version | v1.15+ (with skip-conntrack-dst-cidrs support) | | ||
|
|
||
| ## Configuration Steps | ||
|
|
||
| > **Warning**: Once conntrack is skipped for a destination CIDR, the following OVN features will **no longer take effect** for traffic to that CIDR: | ||
| > - **NetworkPolicy** — NetworkPolicy rules will not be able to control Pod traffic for the CIDR | ||
| > - **Service Access** — When the backend Pods of a Service are in the CIDR, the Service cannot be accessed via ClusterIP, NodePort, or LoadBalancer | ||
| > | ||
| > Ensure that the target CIDRs are **directly accessed Pod-to-Pod traffic** that does not rely on NetworkPolicy or Service routing. | ||
|
|
||
| ### Step 1: Configure Kube-OVN Controller | ||
|
|
||
| Add the `--skip-conntrack-dst-cidrs` startup parameter to the kube-ovn-controller Deployment: | ||
|
|
||
| ```bash | ||
| kubectl edit deploy kube-ovn-controller -n kube-system | ||
| ``` | ||
|
|
||
| Find the container args section and add the parameter: | ||
|
|
||
| ```yaml | ||
| containers: | ||
| - name: kube-ovn-controller | ||
| args: | ||
| # ... existing args ... | ||
| - --skip-conntrack-dst-cidrs=10.0.0.0/24,192.168.1.0/24 # Replace with actual target CIDRs | ||
| ``` | ||
|
|
||
| After saving, the configuration takes effect automatically. To remove, delete the `--skip-conntrack-dst-cidrs` line and save. |
54 changes: 54 additions & 0 deletions
54
...utions/How_to_Optimize_OVN_Underlay_First_Packet_Latency_with_Skip_Conntrack.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| id: KB202604070001 | ||
| products: | ||
| - Alauda Container Platform | ||
| kind: | ||
| - Solution | ||
| sourceSHA: pending | ||
| --- | ||
|
|
||
| # OVN Underlay 网络首包延迟优化 - 跳过 Conntrack 方案(S2 方案) | ||
|
|
||
| 本文档介绍如何在 Kube-OVN 中配置 `skip-conntrack-dst-cidrs` 参数,使指定目标 IP CIDR 的流量跳过 conntrack 处理,从而降低 OVN Underlay 网络的首包延迟。 | ||
|
|
||
| ## 概述 | ||
|
|
||
| 在 OVN Underlay 网络模式下,所有跨子网流量默认都会经过 conntrack(连接跟踪)处理,这会导致首包延迟增加。对于对延迟敏感的场景,可通过 `skip-conntrack-dst-cidrs` 功能跳过 conntrack 处理来降低首包延迟。 | ||
|
|
||
| `skip-conntrack-dst-cidrs` 功能允许管理员指定需要跳过 conntrack 处理的目标 IP CIDR。它在 OVN `ls_in_pre_lb` 逻辑流表中插入优先级为 105 的流表项,优先级高于默认的优先级 100 的 conntrack 流表。 | ||
|
|
||
| ## 先决条件 | ||
|
|
||
| | 项目 | 要求 | | ||
| |------|------| | ||
| | ACP 版本 | 4.3+ | | ||
| | 网络模式 | OVN Underlay | | ||
| | Kube-OVN 版本 | v1.15+(支持 skip-conntrack-dst-cidrs) | | ||
|
|
||
| ## 配置步骤 | ||
|
|
||
| > **警告**:一旦对某个目标 CIDR 跳过 conntrack,以下 OVN 功能对该 CIDR 的流量将**不再生效**: | ||
| > - **NetworkPolicy** — 即使配置了 NetworkPolicy,也无法控制该 CIDR 的 Pod 流量 | ||
| > - **Service 访问** — 当 Service 的后端 Pod 位于该 CIDR 时,无法通过 ClusterIP、NodePort 或 LoadBalancer 访问该 Service | ||
| > | ||
| > 请确保目标 CIDR 是**直接 Pod 到 Pod 的通信**,不依赖 NetworkPolicy 或 Service 路由。 | ||
|
|
||
| ### 步骤 1: 配置 Kube-OVN Controller | ||
|
|
||
| 在 kube-ovn-controller 的 Deployment 中添加 `--skip-conntrack-dst-cidrs` 启动参数: | ||
|
|
||
| ```bash | ||
| kubectl edit deploy kube-ovn-controller -n kube-system | ||
| ``` | ||
|
|
||
| 找到容器启动参数部分,添加该参数: | ||
|
|
||
| ```yaml | ||
| containers: | ||
| - name: kube-ovn-controller | ||
| args: | ||
| # ... 已有参数 ... | ||
| - --skip-conntrack-dst-cidrs=10.0.0.0/24,192.168.1.0/24 # 替换为实际的目标 CIDR | ||
| ``` | ||
|
|
||
| 保存后自动生效。如需删除配置,删除该行并保存即可。 | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.