Bug 2002657

Summary: ovn-kube egress IP monitoring is using a random port over the node network
Product: OpenShift Container Platform Reporter: Dan Winship <danw>
Component: NetworkingAssignee: Patryk Diak <pdiak>
Networking sub component: ovn-kubernetes QA Contact: huirwang
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: ddharwar, jnordell, zzhao
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-12 04:38:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Winship 2021-09-09 12:57:59 UTC 
Bug 1942856 mentions the fact that apparently it is currently necessary to open up port 9 between nodes in order for ovn-kubernetes egress IP checking to work. This is not supposed to be required.

The original openshift-sdn code does the pings over the pod network (ie, it pings the remote node's tun0 IP), so all ports are open and the code can use whatever port it wants. (I picked port 9 because it's semantically correct ("discard"), and because I didn't want to connect to a port that might actually have a server on it that would log a message about "received connection"/"connection closed unexpectedly" or whatever every time we pinged.)

ovn-kubernetes's egress IP code, as currently written, is using the node's primary IP rather than its pod-network IP as the ping target, so the traffic goes over the node network, and fails, because most clusters are not going to allow traffic between nodes on port 9.

There are two possible fixes:

  - Change the code to use the nodes' pod-network IPs like openshift-sdn
    does, rather than their node-network IPs

  - Change the port to something which is already open between nodes.
    eg, you could reserve a port in the 9000-9999 range in
    https://github.com/openshift/enhancements/blob/master/dev-guide/host-port-registry.md
Comment 5 zhaozhanqi 2021-11-10 05:48:40 UTC 
Move this bug to assign status since the linked PR has been reverted. Please help link the correct PR and update the bug status. thanks.
Comment 6 Patryk Diak 2021-11-24 09:50:26 UTC 
https://github.com/openshift/ovn-kubernetes/pull/834 includes the required fixes downstream.
Comment 12 errata-xmlrpc 2022-03-12 04:38:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056