Bug 1809691

Summary: [IPI Baremetal][ipv6]: DHCP requests not blocked to bootstrap when using IPv6
Product: OpenShift Container Platform Reporter: Stephen Benjamin <stbenjam>
Component: InstallerAssignee: Stephen Benjamin <stbenjam>
Installer sub component: OpenShift on Bare Metal IPI QA Contact: Nataf Sharabi <nsharabi>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: augol, rbartal
Version: 4.4Keywords: Triaged
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The wrong port number was used when blocking DHCP traffic to the bootstrap node on IPv6. Consequence: A race was introduced where a worker could incorrectly get a DHCP lease from the bootstrap node. Fix: Block the correct port for DHCPv6. Result: Workers only provision from the Metal3 infrastructure running in the cluster.
 Story Points: ---
Clone Of:
: 1809695 (view as bug list) Environment:
Last Closed: 2020-07-13 17:17:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1809695    

Description Stephen Benjamin 2020-03-03 17:05:48 UTC 
In BZ#1800746, we fixed a race where both bootstrap and cluster provisioning infrastructure are online at the same time, but we used the wrong port for DHCPv6.

RFC8415 says:

    Clients listen for DHCP messages on UDP port 546.  Servers and relay
    agents listen for DHCP messages on UDP port 547.

We need to add 547/udp to block any incoming requests.
Comment 3 Nataf Sharabi 2020-06-08 22:18:07 UTC 
[root@titan44 ~]# oc version
Client Version: 4.5.0-202005291417-9933eb9

from the bootstrap during installation:

[root@titan44 ~]# virsh list --all
 Id   Name                                 State
-----------------------------------------------------
...output omitted...
 19   ocp-edge-cluster-0-rz8rb-bootstrap   running
...output omitted...


[core@localhost ~]$ sudo iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DHCP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
DHCP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:547

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DHCP (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            MAC 52:54:00:80:5B:65
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            MAC 52:54:00:3E:52:A3
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            MAC 52:54:00:4F:6B:83
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
[core@localhost ~]$
Comment 5 errata-xmlrpc 2020-07-13 17:17:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409