Bug 1737386 - [4.1 backport] cannot access to the service's externalIP with egressIP in openshift-ovs-multitenant environment
Summary: [4.1 backport] cannot access to the service's externalIP with egressIP in ope...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.1.z
Assignee: Casey Callendrello
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On: 1726045
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-05 09:25 UTC by Casey Callendrello
Modified: 2019-10-17 08:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1726045
Environment:
Last Closed: 2019-09-10 15:59:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
iptables-save (27.52 KB, text/plain)
2019-08-30 01:10 UTC, zhaozhanqi 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 23548 0 None closed Bug 1737386: pkg/network: skip OPENSHIFT-MASQ for traffic already marked for masquerade 2020-05-11 19:22:47 UTC
Red Hat Product Errata RHSA-2019:2594 0 None None None 2019-09-10 15:59:38 UTC

Comment 2 zhaozhanqi 2019-08-29 08:46:16 UTC 
this issue did not be fixed in 4.1.0-0.nightly-2019-08-28-043410
see below. z1 has egress ip and z2 has external ip and z3 without egress ip

# oc get netnamespaces z1 -o yaml
apiVersion: network.openshift.io/v1
egressIPs:
- 139.178.76.100     
kind: NetNamespace
metadata:
  creationTimestamp: "2019-08-29T08:15:49Z"
  generation: 2
  name: z1
  resourceVersion: "27094"
  selfLink: /apis/network.openshift.io/v1/netnamespaces/z1
  uid: 358cb6b6-ca35-11e9-86fc-0050568b2776
netid: 7381622
netname: z1


[root@dhcp-140-66 bug-1726045]# oc get hostsubnet control-plane-0 -o yaml
apiVersion: network.openshift.io/v1
egressIPs:
- 139.178.76.100
host: control-plane-0
hostIP: 139.178.76.37
kind: HostSubnet
metadata:
  annotations:
    pod.network.openshift.io/node-uid: 3aa65225-ca2b-11e9-bf25-0050568b8a56
  creationTimestamp: "2019-08-29T07:05:01Z"
  generation: 2
  name: control-plane-0
  resourceVersion: "28398"
  selfLink: /apis/network.openshift.io/v1/hostsubnets/control-plane-0
  uid: 51ebd6f6-ca2b-11e9-bf25-0050568b8a56
subnet: 10.129.0.0/23

# oc get pod -n z1
NAME        READY   STATUS    RESTARTS   AGE
hello-pod   1/1     Running   0          6m52s

#oc get svc -n z2
NAME               TYPE        CLUSTER-IP      EXTERNAL-IP      PORT(S)     AGE
service-unsecure   ClusterIP   172.30.53.205   139.178.76.101   27017/TCP   20m

# oc get pod -n z3
NAME        READY   STATUS    RESTARTS   AGE
hello-pod   1/1     Running   0          19m

# oc rsh -n z1 hello-pod
/ # curl 139.178.76.101:27017 --connect-timeout 4
curl: (28) Connection timed out after 4001 milliseconds

## oc rsh -n z3 hello-pod
/ # curl 139.178.76.101:27017 --connect-timeout 4
Hello OpenShift!
Comment 3 Casey Callendrello 2019-08-29 09:43:09 UTC 
Nuts. Can you attach the output of `iptables-save` for the test cluster, please?
Comment 4 zhaozhanqi 2019-08-30 01:10:40 UTC 
Created attachment 1609729 [details]
iptables-save
Comment 5 zhaozhanqi 2019-08-30 01:11:48 UTC 
my bad. I thought I attached the iptable rules yesterday. Sorry for late attach
Comment 6 zhaozhanqi 2019-08-30 07:43:09 UTC 
hi Casey

  please ignore above information, this bug had been fixed. I made a mistake using a invalid external ip for node. sorry for this.

  Verified this bug.
Comment 7 Casey Callendrello 2019-08-30 07:57:46 UTC 
Thanks for the update!
Comment 9 errata-xmlrpc 2019-09-10 15:59:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2594
Note You need to log in before you can comment on or make changes to this bug.