Bug 1272966 - [networking_139] Services cannot be unisolated when unisolate the project
[networking_139] Services cannot be unisolated when unisolate the project
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Networking (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Ravi Sankar
Meng Bo
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-19 06:17 EDT by Meng Bo
Modified: 2015-11-23 16:17 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 16:17:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Meng Bo 2015-10-19 06:17:15 EDT
Description of problem:
Create some pods/services in projects, make one of the projects to be unisolated via oadm.

Only the pods in the project are unisolated, the service cannot be accessed via other projects.

Version-Release number of selected component (if applicable):
openshift v1.0.6-693-g63d9b6a-dirty
kubernetes v1.1.0-alpha.1-653-g86b4e77
etcd 2.1.2
openshift-sdn 57af6adcf067052b7ad97d4747ed4d3390c3a94a

How reproducible:
always

Steps to Reproduce:
1. Setup multi-node env with multi-tenant networking plugin
2. Create 2 projects which content 1 service and 2 pods
3. Make one of the project unisolate
# oadm pod-network unisolate u1p1
4. Try to access the pod/service in u1p1 from other projects

Actual results:
Only the pod in u1p1 can be accessed from outside, but the service cannot be accessed.

Expected results:
Both the pods and service should be accessible after unisolated.

Additional info:
Diff the dump-flows of before and after unisolated, the pod's rule will be replaced by new rule, but the service's rule will be appended with new rule.


Before unisolate:
 cookie=0x5, duration=40.637s, table=3, n_packets=0, n_bytes=0, priority=100,ip,in_port=5,nw_src=10.1.2.3 actions=load:0xd->NXM_NX_REG0[],goto_table:4
 cookie=0x4, duration=41.358s, table=3, n_packets=0, n_bytes=0, priority=100,ip,in_port=4,nw_src=10.1.2.2 actions=load:0xc->NXM_NX_REG0[],goto_table:4
 cookie=0x0, duration=145.612s, table=4, n_packets=0, n_bytes=0, priority=0 actions=goto_table:5
 cookie=0x0, duration=52.203s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,reg0=0xd,nw_dst=172.30.169.151,tp_dst=27017 actions=output:2
 cookie=0x0, duration=52.521s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,reg0=0xc,nw_dst=172.30.111.172,tp_dst=27017 actions=output:2
 cookie=0x0, duration=142.421s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.68.156,tp_dst=5000 actions=output:2
 cookie=0x0, duration=142.418s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.24.245,tp_dst=80 actions=output:2
 cookie=0x0, duration=142.420s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.0.1,tp_dst=443 actions=output:2
 cookie=0x0, duration=145.613s, table=4, n_packets=0, n_bytes=0, priority=100,ip,nw_dst=172.30.0.0/16 actions=drop


After unisolate:
 cookie=0x5, duration=64.396s, table=3, n_packets=0, n_bytes=0, priority=100,ip,in_port=5,nw_src=10.1.2.3 actions=load:0xd->NXM_NX_REG0[],goto_table:4
 cookie=0x4, duration=4.687s, table=3, n_packets=0, n_bytes=0, priority=100,ip,in_port=4,nw_src=10.1.2.2 actions=load:0->NXM_NX_REG0[],goto_table:4
 cookie=0x0, duration=169.371s, table=4, n_packets=0, n_bytes=0, priority=0 actions=goto_table:5
 cookie=0x0, duration=75.962s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,reg0=0xd,nw_dst=172.30.169.151,tp_dst=27017 actions=output:2
 cookie=0x0, duration=76.280s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,reg0=0xc,nw_dst=172.30.111.172,tp_dst=27017 actions=output:2
 cookie=0x0, duration=166.180s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.68.156,tp_dst=5000 actions=output:2
 cookie=0x0, duration=4.676s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.111.172,tp_dst=27017 actions=output:2
 cookie=0x0, duration=166.177s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.24.245,tp_dst=80 actions=output:2
 cookie=0x0, duration=166.179s, table=4, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.30.0.1,tp_dst=443 actions=output:2
 cookie=0x0, duration=169.372s, table=4, n_packets=0, n_bytes=0, priority=100,ip,nw_dst=172.30.0.0/16 actions=drop
Comment 1 Meng Bo 2015-10-23 07:04:15 EDT
Just checked this bug with openshift-sdn version 1e4edc9abb6bb8ac7e5cd946ddec4c10cc714d67.

Cannot be reproduced anymore, should be fixed with bug 1272295.

Can you help move the bug to QE and then I can verify it?
Comment 2 Ravi Sankar 2015-10-26 17:11:08 EDT
Tested this issue on openshift-sdn revision 0da8887fce939e4ace4a
Service isolation is working as expected after unisolate-projects command is issued. 
@bomeng I'm also unable to reproduce the issue. Moving the bug to QE.
Comment 3 Meng Bo 2015-10-28 01:40:30 EDT
Checked with openshift version v1.0.6-997-gff3b522

Issue cannot be reproducible.

Verify the bug.

Note You need to log in before you can comment on or make changes to this bug.