Bug 1370435

Summary: [networking_public_107] The service cannot be accessed when set the enableUnidling to false on node
Product: OpenShift Container Platform Reporter: Meng Bo <bmeng>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aos-bugs, bbennett
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The new unidling feature had a bug where it removed the service proxier when unidling was disabled. Consequence: The service would not work. Fix: Fix the bug. Result: The service works.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 09:46:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Meng Bo 2016-08-26 10:23:42 UTC 
Description of problem:
Modify the node-config to set the enableUnidling to false and restart the node service. Create service/pod and try to access the service and pod ip:port. The service ip cannot be accessed.

Version-Release number of selected component (if applicable):
openshift v3.3.0.23-dirty
kubernetes v1.3.0+507d3a7
etcd 2.3.0+git


How reproducible:
always

Steps to Reproduce:
1. Setup multinode env with 1 master 1 node 
2. Modify the node-config on the node to set the enableUnidling to false
# cat node-config.yaml
dockerConfig:
  execHandlerName: ""
iptablesSyncPeriod: "30s"
kind: NodeConfig
enableUnidling: false
...
3. Restart the node service to make it works
4. Create service and rc
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/list_for_pods.json
$ oc get all -owide 
NAME               DESIRED         CURRENT       AGE         CONTAINER(S)   IMAGE(S)                SELECTOR
rc/test-rc         2               2             13m         test-pod       bmeng/hello-openshift   name=test-pods
NAME               CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE            SELECTOR
svc/test-service   172.30.144.29   <none>        27017/TCP   13m            name=test-pods
NAME               READY           STATUS        RESTARTS    AGE            IP         NODE
po/test-rc-3wqhb   1/1             Running       0           13m            10.1.0.3   host-8-172-121.host.centralci.eng.rdu2.redhat.com
po/test-rc-4b8ow   1/1             Running       0           13m            10.1.0.5   host-8-172-121.host.centralci.eng.rdu2.redhat.com

5. Try to access the svc from the pod
[root@fedora23 v3]# oc exec test-rc-3wqhb -- curl -s 10.1.0.5:8080
Hello OpenShift!
[root@fedora23 v3]# oc exec test-rc-3wqhb -- curl -s 10.1.0.3:8080
Hello OpenShift!
[root@fedora23 v3]# oc exec test-rc-3wqhb -- curl -s 172.30.144.29:27017
error: error executing remote command: error executing command in container: Error executing in Docker Container: 7

6. Check the iptables rules on the node 
# iptables -t nat -nL | grep 172.30.144.29

Actual results:
5. The service ip:port cannot be accessed from cluster.
6. Nothing found in iptables.

Expected results:
5. The service should be able to access from inside the cluster.

Additional info:
Comment 1 openshift-github-bot 2016-08-26 22:23:35 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/07c01a63a1cc783446494323ddd7e4b8a6b49e57
Restores the service proxier when unidling is disabled

The unidling code change had inadvertently removed the proxier when
idling was disabled.  This change restores the default proxier
(userspace or iptables depending on the config).

Bug 1370435
Comment 3 Meng Bo 2016-08-30 06:12:31 UTC 
Tested on build v3.3.0.27, issue has been fixed.

The service can be accessed when setting the enableUnidling to false on nodes.
Comment 5 errata-xmlrpc 2016-09-27 09:46:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933