Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-59965

nncp route-rules applied breaks br-ex connectivity

XMLWordPrintable

    • nmstate-2.2.37-1.el9
    • No
    • Important
    • ZStream
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 1
    • Hide
      Customer/Partner Jira ID Customer Case Status Details
      Nokia RHEL-59965 03904333 The issue involves the nncp route-rules being incorrectly applied to the br-ex device (ovs-if-br-ex), which breaks connectivity on the node. After a troubleshooting session, it was determined that the rule should apply to the correct interface rather than br-ex. In addition to this solution, the team has provided a scratch build  that resolves the issue by applying the rule to the loopback interface when no desired interface is detected. The next step is further testing by the OpenShift QE team to validate the fix and ensure smooth backporting to OCP 4.14 and 4.16 for customer usage. 
       
      [2024-10-07] The Nmstate build containing the fix is still ongoing. Once completed, we will provide z-stream builds containing the fix so that OpenShift QE can do more testing asap.
      Show
      Customer/Partner Jira ID Customer Case Status Details Nokia RHEL-59965 03904333 The issue involves the nncp route-rules being incorrectly applied to the br-ex device (ovs-if-br-ex), which breaks connectivity on the node. After a troubleshooting session, it was determined that the rule should apply to the correct interface rather than br-ex. In addition to this solution, the team has provided a scratch build  that resolves the issue by applying the rule to the loopback interface when no desired interface is detected. The next step is further testing by the OpenShift QE team to validate the fix and ensure smooth backporting to OCP 4.14 and 4.16 for customer usage.    [2024-10-07] The Nmstate build containing the fix is still ongoing. Once completed, we will provide z-stream builds containing the fix so that OpenShift QE can do more testing asap.
    • False
    • Hide

      None

      Show
      None
    • None
    • NMT - RHEL-9.6/RHEL 10 DTM 4
    • Approved Blocker
    • Hide

      Given a network administrator is configuring route-rules using nmstate on an OCP cluster,

      When the route-rule is applied via nncp,

      Then, the rule should be applied only to the expected interfaces and not affect the br-ex device or any other OVS interfaces and the nncp should be in a healthy state without degrading the system status or causing the ovs-configuration.service to fail.

      Definition of Done:

      • The implementation meets the acceptance criteria
      • Integration tests are written and pass
      • The code is part of a downstream build attached to an errata
      • The fix is backported into rhel-9.2
      Show
      Given a network administrator is configuring route-rules using nmstate on an OCP cluster, When the route-rule is applied via nncp, Then, the rule should be applied only to the expected interfaces and not affect the br-ex device or any other OVS interfaces and the nncp should be in a healthy state without degrading the system status or causing the ovs-configuration.service to fail. Definition of Done: The implementation meets the acceptance criteria Integration tests are written and pass The code is part of a downstream build attached to an errata The fix is backported into rhel-9.2
    • Pass
    • Automated
    • None

      What were you trying to do that didn't work?

      we are trying to create nncp route-rules below, rule is created by applied for some reason to br-ex device (ovs-if-br-ex)  breaking br-ex connectivity. 

       

      apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: egress-policy
spec:
  desiredState:
    route-rules:
      config:
      - ip-to: 100.77.77.0/26
        priority: 5550
        route-table: 254
  nodeSelector:
    node-role.kubernetes.io/gateway: ""

       

      sh-5.1# ip rule list 
0:	from all lookup local
30:	from all fwmark 0x1745ec lookup 7
5550:	from all to 100.77.77.0/26 lookup main proto static
5999:	from all fwmark 0x3f0 lookup main
32766:	from all lookup main
32767:	from all lookup default

      What is the impact of this issue to you?

      nncp status is degraded, ovs-configuration.service didn't started, connectivity issue on br-ex device (ovs-if-br-ex)  blocking parter to use worker and egressIP running on it.

      Please provide the package NVR for which the bug is seen:

      sh-5.1# rpm -qa |grep nmstate
nmstate-2.2.27-2.el9_4.x86_64 
      kubernetes-nmstate-operator.4.16.0-202407181806 
OCP 4.14
OCP 4.16
      sh-5.1# cat /etc/os-release 
NAME="Red Hat Enterprise Linux CoreOS"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION="416.94.202407081958-0"
VERSION_ID="4.16"
VARIANT="CoreOS"
VARIANT_ID=coreos
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux CoreOS 416.94.202407081958-0"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos::coreos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://docs.okd.io/latest/welcome/index.html"
BUG_REPORT_URL="https://access.redhat.com/labs/rhir/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.16"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.16"
OPENSHIFT_VERSION="4.16"
RHEL_VERSION=9.4
OSTREE_VERSION="416.94.202407081958-0"

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. Apply nncp above with specified priority in table 254
      1. Check ip rules is applied : ip rule list
      1. Check in which interface the route-rule is applied: for c in $(nmcli -f UUID c show|grep -); do nmcli c show $c |grep routing; done

      Expected results

       nncp add route-rules without applying it on br-ex device

      Actual results

      nncp is applied on br-ex device (ovs-if-br-ex) for some reason

              fge@redhat.com Gris Ge
              ecisse@redhat.com El Hadji Sidi Ahmed Cisse
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: