Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: 4.22
Affects Version/s: 4.22
Component/s: Two Node Fencing
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
0
Severity:
Low
Regression:
None

Target Backport Versions:
None
Target Version:

4.22
Release Blocker:
Proposed
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

NOTE: This bug is Critical because it blocks API promotion of Two Nodes with Fencing to Default

Description of problem:

The TriggerNetworkDisruption function used by TNF recovery tests hardcodes iptables for blocking network traffic between nodes. On IPv6 clusters, iptables silently ignores IPv6 addresses — ip6tables is required.
As a result, the network disruption never takes effect, fencing is never triggered, and the test times out waiting for a member removal/re-addition that never happens.

Version-Release number of selected component (if applicable):

4.22

How reproducible:

100% on IPv6 using the network disruption recovery test.

Steps to Reproduce:

1. Deploy a two-node cluster with IPv6 networking and fencing enabled
2. Run the e2e-metal-ovn-two-node-fencing-ipv6-recovery-techpreview periodic job
3. Observe the "should recover from network disruption with etcd member re-addition" test

Actual results:

The test generates an iptables command with an IPv6 peer address:
sudo iptables -I INPUT -j DROP -s fd2e:6f44:5dd8:c956::14 && sudo iptables -I OUTPUT -j DROP -d fd2e:6f44:5dd8:c956::14
iptables does not handle IPv6 addresses. No network partition occurs, no fencing triggers, and both nodes remain non-learner voting members. The test times out after 1200s with:
expected 2 members with exactly one learner, both nodes are non-learners

Expected results:

The function should detect the IP address family and use ip6tables for IPv6 addresses. The network partition should trigger fencing, member removal, and subsequent recovery.

Additional info:

The same function is also used by the BMC credential rotation test (should recover from BMC credential rotation with fencing), which is equally affected on IPv6 clusters.

Failing job: periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-two-node-fencing-ipv6-recovery-techpreview #2022978966146519040

Bug location:

origin/test/extended/util/nodes.go:118-129 — TriggerNetworkDisruption function.

Fix:

Detect the address family from the peer IP and select the correct firewall command:

iptablesCmd := "iptables"
if net.ParseIP(peerIP).To4() == nil

{ iptablesCmd = "ip6tables" }

Then use iptablesCmd in place of the hardcoded "iptables" in both the block and cleanup commands.

clones

OCPBUGS-76943 BMC credential rotation test fails in dualstack lanes due to FQDN node name mismatch

POST

Assignee:: Carlo Lobrano

Reporter:: Pablo Fontanilla

Need Info From:: None

Contributors:: None

QA Contact:: Douglas Hensel

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2026/02/17 7:38 PM

Updated:: 2026/02/18 9:25 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates