Loading...

XML

Word

Printable

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 4.15.z
Component/s: Networking / ovn-kubernetes
Labels:
- SDN-Bug-Backlog-Pruning
- SDN:OVNK:EgressIP

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    After removing blocking iptables rule on port 9107, egressip is not re-assigned

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1. label one node to be egress node
$ oc label node jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk "k8s.ovn.org/egress-assignable"=""
node/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk labeled

     2. Configure an egressip object, egressip should be assigned to the egress node
$ oc apply -f /tmp/e2e-test-networking-9k28diqk-fff5j-v32gywzbresource.json
egressip.k8s.ovn.org/egressip-54045 created

$ oc get egressips.k8s.ovn.org 
NAME             EGRESSIPS     ASSIGNED NODE                                ASSIGNED EGRESSIPS
egressip-54045   10.0.141.11   jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk   10.0.141.11

     3. Add an iptables rule to block egressip health check port 9107 on the egress node, egressip should be unassigned once the port 9107 is blocked
   $ oc debug node/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk 
Temporary namespace openshift-debug-bkwn6 is created for debugging node...
Starting pod/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk-debug-2tmvr ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.4
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-5.1# iptables -I INPUT 1 -p tcp --destination-port 9107 -j DROP
sh-5.1# 
sh-5.1# 
sh-5.1# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:astergatefax
KUBE-FIREWALL  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             /* gcp LB vip existing */ ADDRTYPE match dst-type !LOCAL state RELATED,ESTABLISHEDChain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             169.254.169.1       
ACCEPT     all  --  169.254.169.1        anywhere            
ACCEPT     all  --  anywhere             172.30.0.0/16       
ACCEPT     all  --  172.30.0.0/16        anywhere            
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
KUBE-FIREWALL  all  --  anywhere             anywhere            Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  -- !127.0.0.0/8          127.0.0.0/8          /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNATChain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination         
 [jechen@jechen ~]$ 
[jechen@jechen ~]$ 
[jechen@jechen ~]$ oc get egressips.k8s.ovn.org 
NAME             EGRESSIPS     ASSIGNED NODE   ASSIGNED EGRESSIPS
egressip-54045   10.0.141.11                   


4. Delete the blocking port 9107 iptables rule
$ oc debug node/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk 
Temporary namespace openshift-debug-z6p8c is created for debugging node...
Starting pod/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk-debug-5whbt ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.4
If you don't see a command prompt, try pressing enter.
sh-4.4# iptables -D INPUT -p tcp --destination-port 9107 -j DROP
sh: iptables: command not found
sh-4.4# chroot /host
sh-5.1# iptables -D INPUT -p tcp --destination-port 9107 -j DROP
sh-5.1# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-FIREWALL  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             /* gcp LB vip existing */ ADDRTYPE match dst-type !LOCAL state RELATED,ESTABLISHEDChain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             169.254.169.1       
ACCEPT     all  --  169.254.169.1        anywhere            
ACCEPT     all  --  anywhere             172.30.0.0/16       
ACCEPT     all  --  172.30.0.0/16        anywhere            
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
KUBE-FIREWALL  all  --  anywhere             anywhere            Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  -- !127.0.0.0/8          127.0.0.0/8          /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNATChain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination         
sh-5.1# exit
exit
sh-4.4# exit
exitRemoving debug pod ...
Temporary namespace openshift-debug-lvffh was removed.
[jechen@jechen ~]$ 
[jechen@jechen ~]$ 
[jechen@jechen ~]$ oc get egressips.k8s.ovn.org 
NAME             EGRESSIPS     ASSIGNED NODE   ASSIGNED EGRESSIPS
egressip-54045   10.0.141.11

Actual results:

    egressip is not re-assigned back to the egress node

Expected results:

    egressip should be re-assigned back to the egress node

Additional info:

    must-gather: https://drive.google.com/file/d/124RU6Yq7l95sMbTYpqt53vQaHumnOXrM/view?usp=sharing

relates to

CORENET-4093 Update GCP Credentials Request manifest for CNCC

Closed

Assignee:: Ben Pickard

Reporter:: Jean Chen

Need Info From:: None

Contributors:: None

QA Contact:: Jean Chen

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/01/04 7:14 PM

Updated:: 2025/07/24 11:29 AM

Resolved:: 2024/02/07 11:41 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide