Bug 1490820
Summary: | listen-address in dnsmasq when using flannel unreachable by pods | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Eduardo Minguez <eminguez> |
Component: | Networking | Assignee: | Rajat Chopra <rchopra> |
Status: | CLOSED DUPLICATE | QA Contact: | Meng Bo <bmeng> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.6.1 | CC: | aos-bugs, bbennett, bdobreli, eminguez, erich, ghuang, jkaur |
Target Milestone: | --- | ||
Target Release: | 3.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-07 14:12:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Eduardo Minguez
2017-09-12 10:15:26 UTC
Just a side note, I do not thing iptables rules would be a good fix in the end of the day, keeping in mind https://docs.openshift.com/container-platform/latest/admin_guide/iptables.html#iptables-service that makes any iptables rules ephemeral, which is a node boot time only (IIUC). Perhaps the better fix would be to fix the dnsmasq config and/or better document the iptables persistence caveats for openshift or provide poor users like me some help with translating iptables rules for firewalld. Proposed openshift-ansible fix https://github.com/openshift/openshift-ansible/pull/5560 As I understood, the os_firewall_manage_iptables provider works fine for simple rules and can manage to handle this case fully, therefore the proposed fix based on iptables rules. Although I'm not sure how to handle advanced flannel configuration steps described in https://bugzilla.redhat.com/show_bug.cgi?id=1490960, like masquerade rules. But that's another story. I think the DNS issue happens because the nodes have just one network interface as in the reference architecture the DNS iptables rules are not needed. This requires an enhancement in Ansible so that dnsIP is overridable by flannel. Alternatively the fact 'ansible_default_ipv4' can be set to the desired interface's IP address either by the playbook or by changing the default route on the host. (i.e. the interface that will route 8.8.8.8) Workaround fix will be as per this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1493955 That means, the above bug's fixes will cover this bug's problems also. *** This bug has been marked as a duplicate of bug 1493955 *** |