Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-4435

DPU: "Cannot use -A with -D" iptables error when enabling DPU mode

    XMLWordPrintable

Details

    • SDN Sprint 249
    • 0
    • 0.0
    • Rejected

    Description

      Description of problem:

      OVN-kube node crashes with the following errors:

F0809 19:25:35.697554 2129731 ovnkube.go:136] failed to start node network manager: failed to start default node network controller: failed to repair Egress Services entries: [running [/usr/sbin/iptables -t
nat -D OVN-KUBE-EGRESS-SVC -A OVN-KUBE-EGRESS-SVC -m mark --mark 0x3f0 -m comment --comment DoNotSNAT -j RETURN --wait]: exit status 2: iptables v1.8.8 (nf_tables): Cannot use -A with -D                    

Try `iptables -h' or 'iptables --help' for more information.
, running [/usr/sbin/iptables -t nat -D OVN-KUBE-EGRESS-SVC -A OVN-KUBE-EGRESS-SVC -m mark --mark 0x3f0 -m comment --comment "Do not SNAT to SVC VIP" -j RETURN --wait]: exit status 2: iptables v1.8.8 (nf_tables): Cannot use -A with -D

Try `iptables -h' or 'iptables --help' for more information.
]
I0809 19:25:35.697583 2129731 reflector.go:293] Stopping reflector *v1.Namespace (0s) from k8s.io/client-go/informers/factory.go:150 

With https://github.com/openshift/cluster-network-operator/pull/1874 tested.

      Version-Release number of selected component (if applicable):

      4.14 (pre feature freeze)

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install DPU 2 Cluster
2. Upgrade OVN-K and CNO (https://github.com/openshift/cluster-network-operator/pull/1874) to the latest downstream
3.

      Actual results:

      We see these rules on the host:
sudo iptables -t nat -S OVN-KUBE-EGRESS-SVC
-N OVN-KUBE-EGRESS-SVC
-A OVN-KUBE-EGRESS-SVC -m mark --mark 0x3f0 -m comment --comment DoNotSNAT -j RETURN
-A OVN-KUBE-EGRESS-SVC -m mark --mark 0x3f0 -m comment --comment "Do not SNAT to SVC VIP" -j RETURN

Thus OVN-kube node crashes.

      Expected results:

      We should see these rules on the host instead.
sudo iptables -t nat -S OVN-KUBE-EGRESS-SVC
-N OVN-KUBE-EGRESS-SVC
-A OVN-KUBE-EGRESS-SVC -m mark --mark 0x3f0 -m comment --comment DoNotSNAT -j RETURN

      Additional info:

      https://github.com/ovn-org/ovn-kubernetes/pull/3064/files#diff-bb96390aa4d292c5ff6e2bc554446182b8abd55e12ba2a0290853b92aa4e1155R589

Slack thread: https://redhat-internal.slack.com/archives/CDCP2LA9L/p1691610257057969

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NHE-109 Bluefield-2 in DPU mode: rerun flow tests

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Testing

          Activity

            People

              rravaiol@redhat.com Riccardo Ravaioli
              wizhao@redhat.com William Zhao
              Ying Wang Ying Wang
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated: