Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2663

Host ->service -> endpoint via another NIC no longer works in local gw mode

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • Rejected
    • SDN Sprint 231, SDN Sprint 232, SDN Sprint 233, SDN Sprint 234
    • 4
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      In 4.10 we changed the behavior of host->service functionality in local gw mode to use the same behavior in shared gateway mode. However, we missed a case where a customer may have host networked endpoints that reside on a network other than the one served via br-ex. For example, let's take a scenario where the customer has 2 NICs on a node: eth0 (1.1.1.0/24 net), and eth1 (172.18.0.0/24 net). eth1 is attached to br-ex. Kubernetes API is being served via the 1.1.1.0 network. Now:
      
      1. host sends a request to k8s API service
      2. internally we send this packet towards br-ex
      3. masquerading is done via openflow and the packet is sent into OVN
      4. OVN will DNAT the service to the endpoint, which would be on the 1.1.1.0 network
      5. OVN will realize the packet destination is not an ovn networked pod, and send it back to br-ex, while SNAT'ing to 172.18.0.x
      6. In br-ex we will see the destination is something outside of the host and forward it out of eth1
      
      What should have happened:
      6. In br-ex we should have had routing flows that realize we need to send this packet back into the host so that it can be routed via the linux stack out the secondary NIC. We will need to SNAT to 169.254.169.1 (OVN GR) to make sure reply traffic will go back to OVN (happens later in the openflow flows).
      7. In the host we will need to SNAT the packet as it leaves the secondary interface.

      Version-Release number of selected component (if applicable):

      4.10 and later

      How reproducible:

      everytime

      Additional info:

      We know that if a user provides a default gateway that br-ex will always be on that interface. What we need to do is look at the host routing table and for each route on different interfaces add it as an openflow rule.

              sseethar Surya Seetharaman
              trozet@redhat.com Tim Rozet
              None
              None
              Anurag Saxena Anurag Saxena
              None
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: