Bug 1887456

Summary: It is impossible to attach the default NIC to a bridge with the latest version of OVN Kubernetes
Product: OpenShift Container Platform Reporter: Petr Horáček <phoracek>
Component: NetworkingAssignee: Tim Rozet <trozet>
Networking sub component: ovn-kubernetes QA Contact: Ross Brattain <rbrattai>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: anbhat, bbennett, danken, fpan, mcornea, rbrattai, rgarcia, ross.b.brattain
Version: 4.6Flags: anusaxen: needinfo? (ross.b.brattain)
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: OVN-Kubernetes takes the default gateway interface on the host and moves it into an OVS bridge called "br-ex". This bridge is primarily used to share the physical NIC of the host with the host network stack as well as OVN. However, there was no accommodation for anything else attaching and using the br-ex bridge (like CNV). Consequence: Attaching another interface to br-ex, such as a veth pair to a linux bridge or some other internal interface would not function correctly. Traffic would not egress/ingress as expected from the br-ex bridge to the newly added interface. Fix: OpenFlow programmed by OVN-Kubernetes has been fixed to normally switch traffic that does not belong to OVN or the host. Result: Attaching a new interface to br-ex will function the same as it would any normal switch such as a linux bridge.
Story Points: ---
Clone Of:
: 1889309 (view as bug list) Environment:
Last Closed: 2021-02-24 15:25:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1885605, 1889309, 1893160    

Description Petr Horáček 2020-10-12 14:16:21 UTC
Description of problem:

When users have only a single NIC available on their nodes, they can use this NIC for both the default network and for a secondary L2 network. To allow that we configure a linux bridge on top of the NIC and move the original IP of the NIC on top of the bridge. That way, this network can be still used by the default SDN while also utilized for secondary L2 connections.

With a recent change of the gateway mode in OVN Kubernetes, the default NIC of a host is now attached to an OVS bridge "br-ex". Due to this, users and unable to use their primary network for bridging and providing L2 connectivity for their VMs/Pods. This kind of topology was possible in 4.5 and this bug will break upgrade and use for some of our users. 

Find more info and suggested solutions in a bug that was opened on OpenShift Virtualization to track this regression https://bugzilla.redhat.com/show_bug.cgi?id=1885605. Opening this new BZ to track the resolution on OVN Kubernetes side.


Version-Release number of selected component (if applicable):
OCP 4.6


How reproducible:
Always


Steps to Reproduce:
1. Deploy cluster with OVN Kubernetes
2. Try to configure Linux bridge on top of the default NIC


Actual results:
This fails since the NIC is now attached to OVN Kubernetes' br-ex.


Expected results:
User should be able to reconfigure the default interface. E.g. attach it to a Linux bridge to allow L2 connections to the default network work Pods and VMs.

Comment 3 Tim Rozet 2020-11-16 15:09:39 UTC
Shared gw fix is merged into 4.7. Testing local gateway fix that will be required for 4.6 backport:
https://github.com/ovn-org/ovn-kubernetes/pull/1843

Comment 4 Tim Rozet 2020-11-16 15:12:27 UTC
Note, the solution to this bug will be to allow other applications on the host to attach a port to br-ex (shared bridge) and traffic will flow normally over it like a regular L2 bridge. OVN-K8S will still take the NIC and move it onto the br-ex bridge at install time. Then CNV or any other application can simply attach to br-ex with an OVS patch port (if connectint to another OVS bridge) or create a veth pair to attach a linux bridge or something else.

Comment 6 Anurag saxena 2020-12-01 19:16:48 UTC
@rbrattai Can you help looking at this?

Comment 7 Ross Brattain 2020-12-05 06:17:09 UTC
Verified on 4.7.0-0.nightly-2020-12-03-083300 on OpenStack

Created veth pair, attached to Linux bridge, tcpdumped and saw MDNS traffic from all the other nodes in the cluster.

ip link add v1 type veth peer v2
ip l s v1 up
ip l s v2 up
ip link add name br-0 type bridge
ip link set br-0 up
ip link set v2 master br-0
ovs-vsctl add-port br-ex v1

Comment 10 errata-xmlrpc 2021-02-24 15:25:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633