Description of problem: After enabled "MAC Address Changes" and "Forged Transmissions" on the dvSwitch as per stated on documentation [0] , Egress pod doesn't if promiscuous mode is disabled. [0] https://docs.openshift.com/container-platform/3.4/admin_guide/managing_pods.html#admin-guide-limit-pod-access-important-deployment-considerations Version-Release number of selected component (if applicable): Environment: Openshift 3.4 VMware How reproducible: 100% Steps to Reproduce: 1. Enable "MAC Address Changes" and "Forged Transmissions" 2. Deploy an egress router pod: [root@bf-ocp-master2 ~]# cat egresstest.yaml apiVersion: v1 kind: Pod metadata: name: egress-1 labels: name: egress-1 annotations: pod.network.openshift.io/assign-macvlan: "true" spec: containers: - name: egress-router image: openshift3/ose-egress-router securityContext: privileged: true env: - name: EGRESS_SOURCE value: 10.23.155.13 - name: EGRESS_GATEWAY value: 10.23.155.1 - name: EGRESS_DESTINATION value: 195.225.7.67 nodeSelector: type: node [root@bf-ocp-master2 ~]# 3. "oc rsh" within the pod, try to ping the $EGRESS_DESTINATION, got "Destination Host Unreachable" message: [root@bf-ocp-master2 ~]# oc rsh egress-1 sh-4.2# ping 195.225.7.67 PING 195.225.7.67 (195.225.7.67) 56(84) bytes of data. From 10.23.155.13 icmp_seq=1 Destination Host Unreachable From 10.23.155.13 icmp_seq=2 Destination Host Unreachable From 10.23.155.13 icmp_seq=3 Destination Host Unreachable From 10.23.155.13 icmp_seq=4 Destination Host Unreachable sh-4.2# ip n 10.23.155.1 dev macvlan0 FAILED [root@bf-ocp-node3 ~]# Actual results: $EGRESS_DESTINATION is not reachable inside the pods Expected results: EGRESS_DESTINATION should "pingable" from egress router pod Additional info: As per [1]: vSwitches do not "learn" MAC addresses. To make this work, promiscuous mode on the vSwitch might need to be enabled. [1] https://communities.vmware.com/thread/320523?start=0&tstart=0
Some concerns within the original case, Can we expect an IPVLAN solution for egress routing in Openshift? If not, is there any other way of doing this without using MacVLAN or IPVLAN?
(In reply to Nicolas Nosenzo from comment #2) > Some concerns within the original case, > > Can we expect an IPVLAN solution for egress routing in Openshift? If not, is > there any other way of doing this without using MacVLAN or IPVLAN? There is currently no way to do this without using MacVLAN, and no plan to implement any other way. It would be possible to implement a solution using either ipvlan or a second NIC. So, moving this from "Networking" to "RFE".
This bug has been identified as a dated (created more than 3 months ago) bug. This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, as it is currently not part of the products immediate priorities. Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.
*** Bug 1570092 has been marked as a duplicate of this bug. ***