Bug 1570398 – [3.9] DNS to local node vs. static egress IP

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1570398 - [3.9] DNS to local node vs. static egress IP

Summary:	[3.9] DNS to local node vs. static egress IP

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking (Show other bugs)
Sub Component:
Version:	3.9.0
Hardware:	x86_64 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	3.9.z
Assigned To:	Dan Winship
QA Contact:	Meng Bo
Docs Contact:

URL:
Whiteboard:
Keywords:	NeedsTestCase

Depends On:	1557924
Blocks:
	Show dependency tree / graph

Reported:	2018-04-22 10:59 EDT by Dan Winship
Modified:	2018-05-17 02:44 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: When using per-namespace static egress IPs, all external traffic is routed through the egress IP. "External" means all traffic which isn't directed to another pod, and so includes traffic from the pod to the pod's node. Consequence: When pods are told to use the node's IP address for DNS, and the pod is using a static egress IP, then DNS traffic will be routed to the egress node first, and then back to the original node, which might be configured to not accept DNS requests from other hosts, causing the pod to be unable to resolve DNS. Fix: pod-to-node DNS requests now bypass the egress IP and go directly to the node Result: DNS works
Story Points:	---
Clone Of:	1557924
Clones:	1570399 1570400 (view as bug list)
Environment:
Last Closed:	2018-05-17 02:43:40 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Github	ose/pull/1218	None	None	None	2018-04-22 11:02 EDT
Red Hat Product Errata	RHBA-2018:1566	None	None	None	2018-05-17 02:44 EDT

Groups: None (edit)

Comment 1 Dan Winship 2018-04-22 11:02:30 EDT

https://github.com/openshift/ose/pull/1218

Comment 5 Meng Bo 2018-05-02 05:22:31 EDT

Tested on build v3.9.27

The dns query on a non-egress-node pod will not be transferred to the egress node.

Steps:
1. Setup env with network policy plugin
2. Patch any of the node as egress node
3. Create project and pods in it
4. Patch project with egress IP in step 2
5. tcpdump on port 53 on all the nodes
6. Try to send a dns query to the local dns server from the pod which is landed on the non-egress-node 
7. There is no packet generated on the egress node

Comment 6 Dan Winship 2018-05-02 07:57:46 EDT

(In reply to Meng Bo from comment #5)
> 6. Try to send a dns query to the local dns server from the pod which is
> landed on the non-egress-node 
> 7. There is no packet generated on the egress node

(And the DNS query in step 6 should succeed.)

Comment 7 Meng Bo 2018-05-02 22:46:11 EDT

(In reply to Dan Winship from comment #6)
> (In reply to Meng Bo from comment #5)
> > 6. Try to send a dns query to the local dns server from the pod which is
> > landed on the non-egress-node 
> > 7. There is no packet generated on the egress node
> 
> (And the DNS query in step 6 should succeed.)

Aha, yeah, thanks.
It succeeded indeed.

Comment 10 errata-xmlrpc 2018-05-17 02:43:40 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566

Note You need to log in before you can comment on or make changes to this bug.