Bug 1872128
| Summary: | Can't run container with hostPort on ipv6 cluster | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Nir <nyehia> | |
| Component: | Node | Assignee: | Antonio Ojea <aojeagar> | |
| Node sub component: | CRI-O | QA Contact: | Weinan Liu <weinliu> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | medium | |||
| Priority: | medium | CC: | aojeagar, aos-bugs, dcbw, dwalsh, ealcaniz, jokerman, schoudha, tsweeney, weinliu, william.caban | |
| Version: | 4.5 | |||
| Target Milestone: | --- | |||
| Target Release: | 4.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: CRI-O only uses IPv4 iptables to implement containers Host Ports
Consequence: HostPort doesn´t work for IPv6
Fix: Implement HostPort IPv6 support in CRI-O
Result: CRI-O support HostPort for IPv6 and IPv4
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1900658 (view as bug list) | Environment: | ||
| Last Closed: | 2021-02-24 15:16:08 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1897336, 1900658 | |||
|
Description
Nir
2020-08-25 07:00:20 UTC
It seems that CRI-O is always using iptables IPv4 for managing the host port mapping https://github.com/cri-o/cri-o/blob/81a23e1553271e747d177b863235a24337f41181/server/server.go#L338-L342 > iptInterface := utiliptables.New(utilexec.New(), utiliptables.ProtocolIPv4) One solution to fix this bug would be to parse the network configuration and initializing the hostportManager with the proper ipFamily. However, this would not solve the dual stack problem, where we should run two hostPort managers in parallel, one for each ipFamily. We solved this in kubernetes upstream https://github.com/kubernetes/kubernetes/pull/80854 using one portManager per IP family and leveraging the sandbox IPs to choose the right one. I submitted a PR with the later approach https://github.com/cri-o/cri-o/pull/4116 cri-o PR merged Blocked by [BM][IPI] Master deployment failed: No valid host was found. Reason: No conductor service registered which supports driver redfish for conductor group https://bugzilla.redhat.com/show_bug.cgi?id=1902653, we can not get an ipv6 cluster built Have you curled/pinged/polled the exposed hostPort to verify that it acually forwards the traffic to the container? We only managed to get clusters of ipv6 & disconnected, no mirrored images available. I checked pod creating with a Completed status. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |