Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16
Component/s: Networking / ovn-kubernetes
Labels:
None

Test Coverage:

+
Test Link:
https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-75613
Severity:
Critical
Regression:
Yes
Sprint:
CNF Network Sprint 257
sprint_count:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
RH Private Keywords:
Target Version:

4.17.0
Target Backport Versions:

4.16.z
Escape Reason:
Escape Impact:
Corrective Measures:
SDLC stage when should've been found:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:
Apps exposed via NodePort do not return responses to client requests if the client's ephemeral port is 22623 or 22624.
When testing with curl command specifying the local port as shown below, a response is returned if the ephemeral port is 22622 or 22626, but it times out if the ephemeral port is 22623 or 22624.

[root@bastion ~]# for i in {22622..22626}; do echo localport:${i}; curl -m 10 -I 10.0.0.20:32325 --local-port ${i}; done
localport:22622
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 25 Jul 2024 07:44:22 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Wed, 24 Jul 2024 12:20:19 GMT
Connection: keep-alive
ETag: "66a0f183-924b"
Accept-Ranges: bytes
localport:22623
curl: (28) Connection timed out after 10001 milliseconds
localport:22624
curl: (28) Connection timed out after 10000 milliseconds
localport:22625
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 25 Jul 2024 07:44:42 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Wed, 24 Jul 2024 12:20:19 GMT
Connection: keep-alive
ETag: "66a0f183-924b"
Accept-Ranges: bytes
localport:22626
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 25 Jul 2024 07:44:42 GMT
Content-Type: text/html
Content-Length: 37451
Last-Modified: Wed, 24 Jul 2024 12:20:19 GMT
Connection: keep-alive
ETag: "66a0f183-924b"
Accept-Ranges: bytes

This issue has been occurring since upgrading to version 4.16. Confirmed that it does not occur in versions 4.14 and 4.12.

Version-Release number of selected component (if applicable):
OCP 4.16

How reproducible:
100%

Steps to Reproduce:
1. Prepare a 4.16 cluster.
2. Launch any web app pod (nginx, httpd, etc.).
3. Expose the application externally using NodePort.
4. Access the URL using curl --local-port option to specify 22623 or 22624.

Actual results:
No response is returned from the exposed application when the ephemeral port is 22623 or 22624.

Expected results:
A response is returned regardless of the ephemeral port.

Additional info:
This issue started occurring from version 4.16, so it is possible that this is due to changes in RHEL 9.4, particularly those related to nftables.

blocks

OCPBUGS-38054 No response from applications exposed via NodePort when client ephemeral port is 22623 or 22624

Closed

is cloned by

OCPBUGS-38054 No response from applications exposed via NodePort when client ephemeral port is 22623 or 22624

Closed

links to

Communication with pods becomes unresponsive when client port is 22623 or 22624

openshift/ovn-kubernetes#2240: OCPBUGS-37541: Fix per-pod MCS/metadata blocking

RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update

Assignee:: Carlos Goncalves

Reporter:: Yuki Okada

QA Contact:: Huiran Wang

Contributors:: Dan Winship

Votes:: 0 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 2024/07/25 8:34 AM

Updated:: 2024/08/29 2:47 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates