1570398 – [3.9] DNS to local node vs. static egress IP

Bug 1570398 - [3.9] DNS to local node vs. static egress IP

Summary: [3.9] DNS to local node vs. static egress IP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.9.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.9.z
Assignee:	Dan Winship
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:	1557924
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-22 14:59 UTC by Dan Winship
Modified:	2018-12-29 03:43 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: When using per-namespace static egress IPs, all external traffic is routed through the egress IP. "External" means all traffic which isn't directed to another pod, and so includes traffic from the pod to the pod's node. Consequence: When pods are told to use the node's IP address for DNS, and the pod is using a static egress IP, then DNS traffic will be routed to the egress node first, and then back to the original node, which might be configured to not accept DNS requests from other hosts, causing the pod to be unable to resolve DNS. Fix: pod-to-node DNS requests now bypass the egress IP and go directly to the node Result: DNS works
Clone Of:	1557924
Clones:	1570399 1570400 (view as bug list)
Environment:
Last Closed:	2018-05-17 06:43:40 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ose/pull/1218	None	None	None	2018-04-22 15:02:29 UTC
Red Hat Product Errata	RHBA-2018:1566	None	None	None	2018-05-17 06:44:00 UTC

Comment 1 Dan Winship 2018-04-22 15:02:30 UTC

https://github.com/openshift/ose/pull/1218

Comment 5 Meng Bo 2018-05-02 09:22:31 UTC

Tested on build v3.9.27

The dns query on a non-egress-node pod will not be transferred to the egress node.

Steps:
1. Setup env with network policy plugin
2. Patch any of the node as egress node
3. Create project and pods in it
4. Patch project with egress IP in step 2
5. tcpdump on port 53 on all the nodes
6. Try to send a dns query to the local dns server from the pod which is landed on the non-egress-node 
7. There is no packet generated on the egress node

Comment 6 Dan Winship 2018-05-02 11:57:46 UTC

(In reply to Meng Bo from comment #5)
> 6. Try to send a dns query to the local dns server from the pod which is
> landed on the non-egress-node 
> 7. There is no packet generated on the egress node

(And the DNS query in step 6 should succeed.)

Comment 7 Meng Bo 2018-05-03 02:46:11 UTC

(In reply to Dan Winship from comment #6)
> (In reply to Meng Bo from comment #5)
> > 6. Try to send a dns query to the local dns server from the pod which is
> > landed on the non-egress-node 
> > 7. There is no packet generated on the egress node
> 
> (And the DNS query in step 6 should succeed.)

Aha, yeah, thanks.
It succeeded indeed.

Comment 10 errata-xmlrpc 2018-05-17 06:43:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566

Note You need to log in before you can comment on or make changes to this bug.