Bug 1540846

Summary: [egressip] The egressIP which assigned to project will still take effect after it has been removed
Product: OpenShift Container Platform Reporter: Meng Bo <bmeng>
Component: NetworkingAssignee: Dan Winship <danw>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, bbennett
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of:
: 1542591 1542593 (view as bug list) Environment:
Last Closed: 2018-03-28 14:24:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1542591, 1542593    
Attachments:
Description Flags
openflow_before_egressIP_added
none
openflow_after_egressIP_added
none
openflow_after_egressIP_removed_from_netnamespace
none
openflow_after_egressIP_removed_from_hostsubnet none

Description Meng Bo 2018-02-01 06:43:39 UTC 
Description of problem:
After removed the assigned egressIP to netnamespace, the pods in the project will still using the egressIP to reach the outside network. 

Version-Release number of selected component (if applicable):
v3.9.0-0.34.0
openvswitch 2.7.3

How reproducible:
always

Steps to Reproduce:
1. Setup multi node env
2. Create project and have pods in it
3. Add an egressIP to the hostsubnet of any node
4. Add the above egressIP to the project's netnamespace
5. Try to access outside from the pods
6. Remove the egressIP from the netnamespace
7. Try to access outside from the pods
8. Remove the egressIP from the hostsubnet
9. Try to access outside from the pods

Actual results:
5. The pods will reach outside with the egressIP as source IP.
7. The pods will still reach outside with the egressIP as source IP.
9. The pods will lose outside connection.

Expected results:
7. The pods should use the landed node IP as the source IP.
9. The pods should be able to access outside network.

Additional info:
Related openflow rules attached.

Pod info:
$ oc get po -o wide 
NAME            READY     STATUS    RESTARTS   AGE       IP             NODE
test-rc-6ck6c   1/1       Running   0          47m       10.128.0.38    ose-node1.bmeng.local
test-rc-dpns6   1/1       Running   0          47m       10.128.2.196   ose-node2.bmeng.local

Node info:
$ oc get po -o wide 
NAME            READY     STATUS    RESTARTS   AGE       IP             NODE
test-rc-6ck6c   1/1       Running   0          47m       10.128.0.38    ose-node1.bmeng.local
test-rc-dpns6   1/1       Running   0          47m       10.128.2.196   ose-node2.bmeng.local

Project info:
# oc get netnamespace 
NAME              NETID      EGRESS IPS
bmengpp           3031874    []
default           0          []
kube-public       13569059   []
kube-system       4330111    []
openshift         721723     []
openshift-infra   8764350    []
openshift-node    13969432   []

Egress IP is 10.66.140.100 for testing.
Comment 1 Meng Bo 2018-02-01 06:45:14 UTC 
Created attachment 1389347 [details]
openflow_before_egressIP_added
Comment 2 Meng Bo 2018-02-01 06:47:16 UTC 
Created attachment 1389348 [details]
openflow_after_egressIP_added
Comment 3 Meng Bo 2018-02-01 06:47:53 UTC 
Created attachment 1389349 [details]
openflow_after_egressIP_removed_from_netnamespace
Comment 4 Meng Bo 2018-02-01 06:48:17 UTC 
Created attachment 1389350 [details]
openflow_after_egressIP_removed_from_hostsubnet
Comment 5 Dan Winship 2018-02-01 17:17:07 UTC 
https://github.com/openshift/origin/pull/18393
Comment 7 Meng Bo 2018-02-22 07:55:44 UTC 
Checked on OCP v3.9.0-0.47.0

The egress IP will not take effect after it was removed from netnamespace.
Comment 10 errata-xmlrpc 2018-03-28 14:24:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489