Completely forego the usage of macvlans, as they wreak havoc in ARP/IPv6 ND when more than one macvlan is created form a bridge interface #2403
Comments
delandtj
changed the title
|
There might be some info about the sources of conflict here (just a note for reference). So far I understand this affects the Mycelium interface for Zdbs. Are VMs also affected? If I read correctly here it seems so:
I think it's fine to leave existing VMs as is and let the users recreate if they want. If the user is experience a problem due to this, they probably have found another communication route and are happy enough with their VM as is. For Zdb, ideally the endpoints could retain all the same IP addresses and nothing changes for the users. If that's not possible, oh well. There's not much usage yet anyway. |
|
VMs always use regular TAP interfaces (NOT macvtaps), and therefore these should be fine. The problem exists primarily for zdbs because (for mycelium), a packet traverses 2 macvlans in bridge mode which are themselves enslaved by a bridge. It appears to be specifically the second macvlan which causes issues when acting as router, since "regular" public ipv6 has the same setup (macvlan from br-pub to zdb ns and macvlan from br-pub to public ns), however here the packet "exits" on the bridge since the bridge enslaved a physical interface which is the path for the router (so for regular IPv6 the public namespace is not involved). |
|
this is already handled for zos4 we need to do it in zos3 |
|
Any status on zos3 for this ? |
|
Hi everyone, I had a talk with @despiegk and we can't wait until 3.16 to fix this macvlan bug, as it is currently a blocking bug, i.e. it blocks Mycelium utilization. Thus it is now set as a critical priority. We can't wait for a forklift upgrade. We just need to do a patch. @ashraffouda @Omarabdul3ziz can you guys check this? Thanks everyone. |
|
changing to macvlans will not fix the problem until every single node is rebooted, because nodes will not optout macvlans until rebooted |
|
So basically all macvlan devices attached to a bridge (which should be all at this point iirc) need to be replaced by a veth pair with one end plugged into the bridge. While it is true that the network won't adapt automatically just because new code is uploaded until the node is rebooted, this can be solved by writing a bit of migration code which looks for all macvlans and switches them for veth pairs. Or the migration code can look for a single known macvlan device, if that is found it knows other macvlans need to be switched out, and finally the known one should be chagned to a veth pair. This will allow the devices to be changed with minimal downtime for workloads and without the need to reboot the node. Finally, the dummy interfaces we use to force the bridges to be up can be cleaned up as well after this. |
|
As I understand, this means that @LeeSmet has a working solution for this. @ashraffouda @Omarabdul3ziz |
|
we started by changing the zdb part today, but still not finished yet. has some issues we still debugging it |
|
Work is done on the zdb workload it now uses veth pair instead of the macvlan for all its links (ygg/myc/pub) will continue working on the other macvlans used for the network resource and the wiring to ndmz namespace |
|
Since the patch to implement this was applied to mainnet, I don't have any more issues connecting to Zdbs over Mycelium. Looks good. |
Right now the macvlan removal was only applied on devnet, so that may mean there's something else could have been going on |
|
Ah, my mistake. I should refine my statement to be that, while the gratuitous packet loss did not appear in my recent tests, there are still big latency spikes on testnet. However, my testing on devnet today shows that there is still large amounts of packet loss happening when connecting to Zdbs over Mycelium. Here are some examples from ping tests. These were performed from a VM running on node 128 on devnet. The IPs are the Mycelium IPs of Zdbs running on the indicated node ids, as returned by Zos after creating Zdb deployments. Check the gaps in sequence number. Devnet node 12Devnet node 28Devnet node 31Looks like we need some further investigation to be sure of the root cause and why the proposed fix did not address it. |
|
Node 12:
Node 28:
Node 31:
I concur, since it seems that all listed nodes still exhibit the old behavior of using macvlans |
|
@scottyeager can you try after that reboot? the migration code is still in progress to automigrate without the need for a reboot. |
|
Looking much better now. The three nodes that were rebooted have 0% packet loss now. Node 14 which was not rebooted is still showing high packet loss (lower right):
|
Creating a macvlan from a bridge interface seems to conflict in arp/nd for the bridge, as as well the bridge(duh) as macvlans have bridging code and somewhere along the path things don't fit any more.
Creating macvlans from physical interfaces doesn't seem to create problems, but from bridge interfaces (when there is more than one and both interfaces need to communicate) it does weird things, where neighbors get lost, asn as such routes get lost, ans a such, connections get lost.
some comments needed here :
The text was updated successfully, but these errors were encountered: