Bug 1809691 - [IPI Baremetal][ipv6]: DHCP requests not blocked to bootstrap when using IPv6
Summary: [IPI Baremetal][ipv6]: DHCP requests not blocked to bootstrap when using IPv6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.5.0
Assignee: Stephen Benjamin
QA Contact: Nataf Sharabi
URL:
Whiteboard:
Depends On:
Blocks: 1809695
TreeView+ depends on / blocked
 
Reported: 2020-03-03 17:05 UTC by Stephen Benjamin
Modified: 2020-07-13 17:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The wrong port number was used when blocking DHCP traffic to the bootstrap node on IPv6. Consequence: A race was introduced where a worker could incorrectly get a DHCP lease from the bootstrap node. Fix: Block the correct port for DHCPv6. Result: Workers only provision from the Metal3 infrastructure running in the cluster.
Clone Of:
: 1809695 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:17:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3223 0 None closed Bug 1809691: baremetal: block 547/udp for DHCPv6 as well 2020-11-13 16:39:56 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:18:07 UTC

Description Stephen Benjamin 2020-03-03 17:05:48 UTC
In BZ#1800746, we fixed a race where both bootstrap and cluster provisioning infrastructure are online at the same time, but we used the wrong port for DHCPv6.

RFC8415 says:

    Clients listen for DHCP messages on UDP port 546.  Servers and relay
    agents listen for DHCP messages on UDP port 547.

We need to add 547/udp to block any incoming requests.

Comment 3 Nataf Sharabi 2020-06-08 22:18:07 UTC
[root@titan44 ~]# oc version
Client Version: 4.5.0-202005291417-9933eb9

from the bootstrap during installation:

[root@titan44 ~]# virsh list --all
 Id   Name                                 State
-----------------------------------------------------
...output omitted...
 19   ocp-edge-cluster-0-rz8rb-bootstrap   running
...output omitted...


[core@localhost ~]$ sudo iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DHCP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
DHCP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:547

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DHCP (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            MAC 52:54:00:80:5B:65
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            MAC 52:54:00:3E:52:A3
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            MAC 52:54:00:4F:6B:83
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
[core@localhost ~]$

Comment 5 errata-xmlrpc 2020-07-13 17:17:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.