Bug 2031012

Summary: Services of type loadbalancer do not work if the traffic reaches the node from an interface different from br-ex
Product: OpenShift Container Platform Reporter: Federico Paolinelli <fpaoline>
Component: NetworkingAssignee: Federico Paolinelli <fpaoline>
Networking sub component: ovn-kubernetes QA Contact: Arti Sood <asood>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: alolivei, andbartl, anusaxen, djuran, fbaudin, federico.pulido, gkopels, ibodunov, jlema, mzhidovi, trozet
Version: 4.9   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2040594 (view as bug list) Environment:
Last Closed: 2022-03-10 16:32:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2040594    

Description Federico Paolinelli 2021-12-10 10:02:14 UTC 
Description of problem:

MetalLB + OVNK.
Layer 2 mode, the service client tries to hit the service from a network connected to a secondary nic of the host (not br-ex).

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Deploy MetalLB
2. Deploy an application that leverages a service using an ip from the network reacheable from a secondary nic
3. Try to reach the service from a network connected to a secondary nic

Actual results:
It's not possible to reach the service

Expected results:
The service is reacheable

Additional info:
Comment 4 Mohamed Mahmoud 2022-01-07 21:03:55 UTC 
*** Bug 2038309 has been marked as a duplicate of this bug. ***
Comment 25 Greg Kopels 2022-02-09 13:22:56 UTC 
Bz verified on dual stack cluster version 4.10.0-fc.2 by QE Networking

1. Create dual stack layer2 AddressPool

2. Create a service
[gkopels@ cnf-gotests (metallb-47182-1)]$ oc get service
NAME         TYPE           CLUSTER-IP      EXTERNAL-IP                            PORT(S)        AGE
nginx        LoadBalancer   172.30.77.129   10.46.56.131,2620:52:0:2e38::200       80:31186/TCP   44m

3. Create a backend service

[gkopels@ cnf-gotests (metallb-47182-1)]$ oc get pods -owide
NAME    READY   STATUS    RESTARTS   AGE   IP             NODE                              NOMINATED NODE   READINESS GATES
nginx   1/1     Running   0          39m   10.131.0.143   helix13.lab.eng.tlv2.redhat.com   <none>           <none>

4. On same node as the backend service pod create interface dummy0

[root@helix13 core]# ip a show dummy0
162: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 4a:ad:c2:22:e9:03 brd ff:ff:ff:ff:ff:ff
    inet 10.100.100.254/24 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 2620:52:0:2e38::500/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::48ad:c2ff:fe22:e903/64 scope link
       valid_lft forever preferred_lft forever

5. Verify service and announcing node

[gkopels@ test_cases]$ oc describe service nginx
Name:                     nginx
Namespace:                default
Labels:                   <none>
Annotations:              metallb.universe.tf/address-pool: addresspool2
Selector:                 app=nginx
Type:                     LoadBalancer
IP Family Policy:         RequireDualStack
IP Families:              IPv4,IPv6
IP:                       172.30.77.129
IPs:                      172.30.77.129,fd02::d24d
LoadBalancer Ingress:     10.46.56.131, 2620:52:0:2e38::200
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  31186/TCP
Endpoints:                10.131.0.143:80
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     30149
Events:
  Type    Reason        Age              From                Message
  ----    ------        ----             ----                -------
  Normal  IPAllocated   6m15s            metallb-controller  Assigned IP ["10.46.56.131" "2620:52:0:2e38::200"]
  Normal  nodeAssigned  2s (x2 over 2s)  metallb-speaker     announcing from node "helix13.lab.eng.tlv2.redhat.com"
[gkopels@ test_cases]$ oc describe service nginx
Name:                     nginx
Namespace:                default
Labels:                   <none>
Annotations:              metallb.universe.tf/address-pool: addresspool2
Selector:                 app=nginx
Type:                     LoadBalancer
IP Family Policy:         RequireDualStack
IP Families:              IPv4,IPv6
IP:                       172.30.77.129
IPs:                      172.30.77.129,fd02::d24d
LoadBalancer Ingress:     10.46.56.131, 2620:52:0:2e38::200
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  31186/TCP
Endpoints:                10.131.0.143:80
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     30149
Events:
  Type    Reason        Age              From                Message
  ----    ------        ----             ----                -------
  Normal  IPAllocated   6m17s            metallb-controller  Assigned IP ["10.46.56.131" "2620:52:0:2e38::200"]
  Normal  nodeAssigned  4s (x2 over 4s)  metallb-speaker     announcing from node "helix13.lab.eng.tlv2.redhat.com"

  6. Curl external IPv4 with dummy0 as source address

  curl --interface 10.100.100.254 10.46.56.131

  7. Curl external IPv6 with dummy0 as source address

  curl --interface 2620:52:0:2e38::500 [2620:52:0:2e38::200]


  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
        <title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <style type="text/css">
            /*<![CDATA[*/
            body {
                background-color: #fff;
                color: #000;
                font-size: 0.9em;
                font-family: sans-serif,helvetica;
                margin: 0;
                padding: 0;
Comment 26 Greg Kopels 2022-02-09 13:55:48 UTC 
Reran the test with a new IPv6 address on interface dummy0 outside of the IPv6 node IP range.

[root@helix13 core]# ip a show dummy0
162: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 4a:ad:c2:22:e9:03 brd ff:ff:ff:ff:ff:ff
    inet 10.100.100.254/24 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 2620:52:0:200::500/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::48ad:c2ff:fe22:e903/64 scope link 
       valid_lft forever preferred_lft forever

[root@helix13 core]# curl --interface 2620:52:0:200::500 [2620:52:0:2e38::200]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
        <title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <style type="text/css">
            /*<![CDATA[*/
            body {
                background-color: #fff;
                color: #000;
                font-size: 0.9em;
                font-family: sans-serif,helvetica;
                margin: 0;
                padding: 0;
            }


### AddressPool ###

apiVersion: metallb.io/v1beta1
kind: AddressPool
metadata:
  name: addresspool2
  namespace: metallb-system
spec:
  protocol: layer2
  autoAssign: true
  addresses:
    - 10.46.56.131-10.46.56.132
    - 2620:52:0:2e38::200-2620:52:0:2e38::400
Comment 31 errata-xmlrpc 2022-03-10 16:32:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Comment 32 Red Hat Bugzilla 2023-09-15 01:18:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days