+++ This bug was initially created as a clone of Bug #1809691 +++ In BZ#1800746, we fixed a race where both bootstrap and cluster provisioning infrastructure are online at the same time, but we used the wrong port for DHCPv6. RFC8415 says: Clients listen for DHCP messages on UDP port 546. Servers and relay agents listen for DHCP messages on UDP port 547. We need to add 547/udp to block any incoming requests.
In order to verify: 1.During installation notice that the bootstrap machine is created: virsh list --all Id Name State ---------------------------------------------------- 219 provisionhost-0 running 220 ocp-edge-cluster-77jtp-bootstrap running 2. from baremetal run : virsh console ocp-edge-cluster-77jtp-bootstrap 3. You should see in the console: ens3: 192.168.123.126 fe80::9337:ec5a:fc32:16c1 ens4: fd00:1101::2 4. from baremetal run: ssh kni@provisionhost 5.from provisionhost run: ssh core.123.126 6.from bootstrap run: sudo ip6tables -t raw -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DHCP udp anywhere anywhere udp dpt:bootps DHCP udp anywhere anywhere udp dpt:dhcpv6-server Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DHCP (2 references) target prot opt source destination ACCEPT all anywhere anywhere MAC 52:54:00:2B:C2:2A ACCEPT all anywhere anywhere MAC 52:54:00:07:5C:BA ACCEPT all anywhere anywhere MAC 52:54:00:47:48:CB DROP all anywhere anywhere The rules match the code in : https://github.com/openshift/installer/pull/3079/files https://github.com/openshift/installer/pull/3243/files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581