Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38735

DNS Egress firewall should remove address_set entries after some time

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Rejected
    • CORENET Sprint 273, CORENET Sprint 274, CORENET Sprint 275, CORENET Sprint 276
    • 4
    • Done
    • Bug Fix
    • Hide
       * Before this update, stale IP addresses existed in the `address_set` of the corresponding DNS rule for the `EgressFirewall` CRD. These addresses should have been removed but instead continued to get added to the `address_set` and this caused memory leak issues. With this release, when the time to live (TTL) expiration for an IP address is reached, the IP address gets removed from `address_set` after a 5-second grace period has been reached. (link:https://issues.redhat.com/browse/OCPBUGS-38735[OCPBUGS-38735])
      Show
       * Before this update, stale IP addresses existed in the `address_set` of the corresponding DNS rule for the `EgressFirewall` CRD. These addresses should have been removed but instead continued to get added to the `address_set` and this caused memory leak issues. With this release, when the time to live (TTL) expiration for an IP address is reached, the IP address gets removed from `address_set` after a 5-second grace period has been reached. (link: https://issues.redhat.com/browse/OCPBUGS-38735 [ OCPBUGS-38735 ])
    • None
    • None
    • None
    • None

      Description of problem:

      Based on customer feedback it doesn't appear that OVN address_set gets IPs corresponding to at least DNS wildcard lookups removed after some time. This means the set can grow unbounded if the IP addresses change over time.

      Version-Release number of selected component (if applicable):

          4.16.8

      How reproducible:

          100%

      Steps to Reproduce:

      1. Create an EgressFirewallDNS entry for *.webhook.office.com
2. Repeatedly connect to that host to populate entries
3. Stop accessing that host

      Actual results:

      address_set items never expire

      Expected results:

      address_set items should expire after some reasonable timeframe or possibly at the TTL received when looking up the hostname?

      Additional info:

      Should there be an option to set maximum number of entries so that an errant DNS entry doesn't allow someone to create DoS scenarios by yielding billions of address_set entries?

Need to also ensure that when/if we remove entries due to expiry there are no active connections to those IP addresses, considering that some connections may be long lived. TTL may not be the best value, because it may be too short.

Also, some dns servers don't provide all answers on each query.

Maybe this needs to be configured per hostname or per cluster, ie: 1 hour timeout if it's not been refreshed. Based on maximum duration for long lived connections given a specific use case.

              rh-ee-arsen Arkadeep Sen (Aurko)
              rhn-support-sdodson Scott Dodson
              None
              None
              Huiran Wang Huiran Wang
              Darragh Fitzmaurice Darragh Fitzmaurice
              Votes:
              1 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: