[Tracking] Calico Pod-to-pod connectivity interrupted on kernel 5.4 with Mellanox ConnectX4 Lx (MT27710 Family)

[iaguis]

Flatcar Status: A workaround is in place for releases 2605.4.0 and above. This issue is kept for tracking the bug with newer kernel releases.

Description

On Kubernetes, pod-to-pod connections between pods running on different nodes don't work on current Flatcar Beta (2605.3.0) and Alpha (2605.1.0). Stable (2512.4.0) works fine for me. My clusters run calico.

Impact

My Kubernetes clusters don't work on Flatcar Beta and Alpha.

Environment and steps to reproduce

1. Set-up: Flatcar running on Packet.
2. Task: N/A
3. Action(s): (see the "Additional information" section for more details)
   a. Started pod A with a web server
   b. Started pod B on a different node of the cluster
   c. Tried to connect from pod B to pod A
4. Error: Connection timeout. However, ping works between the containers.

Expected behavior

An established connection.

Additional information

• I used the following lokocfg and Lokomotive v0.4.0:

  cluster "packet" {
    asset_dir = "./assets"
  
    cluster_name = "broken"
  
    controller_count = 1
    controller_type = "t1.small.x86"
  
    enable_tls_bootstrap = false
  
    os_channel = "alpha"
  
    dns {
      provider = "route53"
      zone = "example.net"
    }
  
    facility = "sjc1"
    project_id = "..."
  
    ssh_pubkeys = [
      "ssh-rsa AAAAB3...",
    ]
  
    management_cidrs = ["0.0.0.0/0"]
    node_private_cidr = "10.xxx.xxx.xxx/25"
  
    enable_aggregation = true
  
    oidc {}
  
    worker_pool "pool-1" {
      count = 2
      node_type = "c2.medium.x86"
  
      os_channel = "alpha"
    }
  }
  

• I followed the instructions in Debug Services to reproduce the issue.

• I ran tcpdump and see the packets coming to the receiving host through the Calico tunl0 interface but they never reach the receiving container veth.

• I checked the iptables counters on the receiving host and see that this rule gets triggered when I try to connect from pod B to pod A:

  core@test-broken-pool-1-worker-1 ~ $ sudo iptables-save -c | grep DROP | grep -v "\[0:0\]"
  ...
  [9:540] -A cali-fh-tunl0 -m comment --comment "cali:Su0l1tIx53hedKuv" -m conntrack --ctstate INVALID -j DROP
  ...
  

• I tried fixes similar to the one mentioned in systemd 245 (channel 2605) breaks cilium pod to out-of-node traffic #181 but even setting rp_filter=0 on all interfaces doesn't fix the issue.

[t-lo]

Repro case:

• alpine-0 pod on worker-0
• alpine-1 pod on worker-1
• alpines can ping each other
• python -m SimpleHTTPServer 12345 on alpine-1
• curl <alpine-1-ip>:12345 -vvvv on alpine-0
• alpine-0 curl times out

Symptoms / packet traces

• Client (alpine-0):
  • client pod opens a TCP connection
  • TCP Syn packet leaves local calico interface
  • TCP Syn packet enters tunl0 ipip calico interface
• Server:
  • TCP Syn packet arrives from tunl0 ipip calico interface
  • packet never goes to local calico interface of destination pod

[pothos]

I got some entries logged with sysctl net.netfilter.nf_conntrack_log_invalid=255 and conntrack -E which weren't invalid but still it didn't seem to work.
Edit: Maybe it was the first packet on tunl0 and makes a new entry but the response packets don't come.

[t-lo]

Pod to pod connections on the same node work.

[t-lo]

Manually turning OFF tcp offloading on Calico's tunl0 interface (on all nodes) mitigates the problem.

ethtool --offload tunl0 rx off tx off

[t-lo]

We were able to isolate the issue down to a specific hardware type, c2.medium , which sports a mellanox ConnectX-4 NIC. Other hardware types (with other NICs) did not show the issue.
We're currently validating with Flatcar stable but suspect that the issue is related to the newer mellanox driver shipped with kernel 5.4, which is included in Flatcar Alpha and Beta.
The workaround of disabling offloading on tunnel interfaces remains functional.

[margamanterola]

I deleted my previous comment, as all my tests were completely broken, because I didn't really understand how the node_private_cidr setting worked.

That said, I've now done a few tests now that I finally understand this and I can have actual reproduction cases.

I created a cluster using beta (2605.3.0) running in EWR c1.small machines, using 10.99.0.0/25, that I set up with lokomotive 0.4.0, and pod-to-pod communication works fine. I tried SJC1 (with 10.88.42.0) and it works fine for c1.small but -as Thilo mentioned- fails for c2.medium.

I then tried a cluster on SJC1, using c2.medium, running Flatcar stable, and it worked fine.

I checked with Lokomotive 0.3.0 and the behavior was the same. For now, we only know that Flatcar beta is affected. I can now try a few different Flatcar versions and see if we can narrow it a bit more.

[margamanterola]

Further investigation with other Flatcar versions has shown that the test setup works fine with 2466.0.0 (the last alpha to ship with kernel 4.19) and it doesn't work with 2492.0.0 (the immediately next alpha, the first one to ship with kernel 5.4). The kernel is the prime suspect, but for completion, here's the full list of updates that shipped with 2492.0.0:

• Linux 5.4.35
• Go 1.13.10
• containerd 1.3.4
• conntrack-tools 1.4.5
• linux-firmware 20191022

[t-lo]

...
The kernel is the prime suspect, but for completion, here's the full list of updates that shipped with 2492.0.0:
...

More specifically, the Mellanox driver included with upstream 5.4. We do not observe the issue on systems with an Intel NIC.

[t-lo]

TODO: Deploy a Lokomotive cluster on unaffected hardware and run an iperf benchmark with ethtool --offload tunl0 rx off tx off and ethtool --offload tunl0 rx on tx on to better understand the performance impact of turning off HW checksum calculation on tunl0 interfaces when offloading does not break TCP/UDP checksums.