1868158 – internal load balancer on azure times out intermittently

Bug 1868158 - internal load balancer on azure times out intermittently

Summary: internal load balancer on azure times out intermittently

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Machine Config Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Stefan Schimanski
QA Contact:	Michael Nguyen
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1869788 1873000 (view as bug list)
Depends On:
Blocks:	1845414 1869790 1881143
TreeView+	depends on / blocked

Reported:	2020-08-11 20:26 UTC by David Eads
Modified:	2021-03-03 14:20 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1881143 (view as bug list)
Environment:
Last Closed:	2020-10-27 16:27:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift machine-config-operator pull 2011	None	closed	Bug 1868158: gcp, azure: Handle azure vips similar to GCP	2021-02-19 09:29:11 UTC
Github	openshift machine-config-operator pull 2061	None	closed	Bug 1868158: machine-config-daemon-pull: Use the MCO image	2021-02-19 09:29:11 UTC
Red Hat Product Errata	RHBA-2020:4196	None	None	None	2020-10-27 16:27:56 UTC

Description David Eads 2020-08-11 20:26:56 UTC

Created in installer component at request of ffranz from SPLAT.

The azure internal load balancer has frequent, short, intermittent timeouts.  During these times, direct access to the kube-apiserver endpoints themselves (the pods), don't experience any disruption.

We know this based on the check-endpoints data contained in must-gather.  It makes tcp connections to the kube-apiserver directly and via the load balancer every second and records results. 

One example is here https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-e2e-azure-4.6/1293090769866854400 must-gather.tar, then registry-svc-ci-openshift-org-ocp-4-6-2020-08-11-074107-sha256-0eb469557fb7b90527742e6604a3be64bf5727db4993dd0a00aa9dd58154c5a1/namespaces/openshift-apiserver/controlplane.operator.openshift.io/podnetworkconnectivitychecks  in the **-api-internal.yaml show numerous short lived outages, while the endpoints themselves are reliable.

We are adding an e2e test https://github.com/openshift/origin/pull/25291 to highlight test problems more clearly so we can count them effectively, but we've seen this behavior in several failed promotion jobs.

It often shows up as the failure to install.

Comment 1 Fabiano Franz 2020-08-11 20:47:11 UTC

I'm asking ARO if they ever faced it and where it's being tracked in such case.

Comment 2 Elana Hashman 2020-08-11 21:19:00 UTC

Is it possible you are encountering this issue? https://docs.microsoft.com/en-us/azure/load-balancer/concepts#limitations

> Outbound flow from a backend VM to a frontend of an internal Load Balancer will fail.

Basically, if you have a Kubernetes master behind an ILB, and you try to use the ILB to route traffic back to the originating VM, it will fail. Hence, you can see connections fail about 1/3 of the time.

In ARO 3.11, we avoided this issue by pinning all master traffic to the local apiserver: https://github.com/openshift/openshift-azure/issues/1632

Comment 3 David Eads 2020-08-12 12:25:14 UTC

based on a recommendation from @casey (https://coreos.slack.com/archives/CB48XQ4KZ/p1597234926141800?thread_ts=1597234292.136800&cid=CB48XQ4KZ), I'm assigning to sttts to work with casey to figure out how to apply something like gcp-routes.service to this.

Comment 4 Abhinav Dahiya 2020-08-18 23:22:32 UTC

The installer team cannot fix the azure platform restriction and seems like the apiserver and sdn team will have to help fix this issue. So moving to networking team to help provide a fix.

Comment 5 zhaozhanqi 2020-08-19 01:31:35 UTC

seems same issue with https://bugzilla.redhat.com/show_bug.cgi?id=1825219

Comment 6 Stefan Schimanski 2020-08-28 07:59:42 UTC

*** Bug 1873000 has been marked as a duplicate of this bug. ***

Comment 11 Stefan Schimanski 2020-09-11 14:49:11 UTC

*** Bug 1869788 has been marked as a duplicate of this bug. ***

Comment 14 Micah Abbott 2020-09-23 17:13:30 UTC

@Fabiano were you able to verify this BZ while testing BZ#1878794?

Comment 15 Micah Abbott 2020-09-24 17:43:31 UTC

On a cluster running 4.6.0-0.nightly-2020-09-24-111253, I was able to confirm that the new `openshift-azure-routes` is landed on the masters and operating successfully.  Will mark VERIFIED in a few days unless Fabiano comes back to say it wasn't properly fixed.

```
$ oc get clusterversion                                                                                                                                                                                                                            
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS                                                                                                                                                                                                                                        
version   4.6.0-0.nightly-2020-09-24-111253   True        False         80m     Cluster version is 4.6.0-0.nightly-2020-09-24-111253

$ oc get nodes                                                                                                                                                                                                                                     
NAME                                                STATUS   ROLES    AGE    VERSION                                                                                                                                                                                                                                          
ci-ln-2h9bjmk-002ac-mp4xd-master-0                  Ready    master   103m   v1.19.0+8a39924                                                                                                                                                                                                                                  
ci-ln-2h9bjmk-002ac-mp4xd-master-1                  Ready    master   104m   v1.19.0+8a39924                                                                                                                                                                                                                                  
ci-ln-2h9bjmk-002ac-mp4xd-master-2                  Ready    master   102m   v1.19.0+8a39924                                                                                                                                                                                                                                  
ci-ln-2h9bjmk-002ac-mp4xd-worker-centralus1-24tsn   Ready    worker   91m    v1.19.0+8a39924                                                                                                                                                                                                                                  
ci-ln-2h9bjmk-002ac-mp4xd-worker-centralus2-z7ghd   Ready    worker   91m    v1.19.0+8a39924                                                                                                                                                                                                                                  
ci-ln-2h9bjmk-002ac-mp4xd-worker-centralus3-cphdn   Ready    worker   91m    v1.19.0+8a39924                                                                                                                                                                                                                                  

$ oc debug node/ci-ln-2h9bjmk-002ac-mp4xd-master-0                                                                                                                                                                                                 
Starting pod/ci-ln-2h9bjmk-002ac-mp4xd-master-0-debug ...                                                                                                                                                                                                                                                                     
To use host binaries, run `chroot /host`                                                                                                                                                                                                                                                                                      
Pod IP: 10.0.0.6                                                                                                                                                                                                                                                                                                              
If you don't see a command prompt, try pressing enter.                                                                                                                                                                                                                                                                        
sh-4.4# chroot /host
sh-4.4# head /opt/libexec/openshift-azure-routes.sh                                                                                                                                                                                                                                                                           
#!/bin/bash                                                                                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                                                              
# Prevent hairpin traffic when the apiserver is up                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                              
# As per the Azure documentation (https://docs.microsoft.com/en-us/azure/load-balancer/concepts#limitations),                    
# if a backend is load-balanced to itself, then the traffic will be dropped.
#
# This is because the L3LB does DNAT, so while the outgoing packet has a destination
# IP of the VIP, the incoming load-balanced packet has a destination IP of the
# host. That means that it "sees" a syn with the source and destination
sh-4.4# systemctl status openshift-azure-routes
● openshift-azure-routes.service - Work around Azure load balancer hairpin
   Loaded: loaded (/etc/systemd/system/openshift-azure-routes.service; static; vendor preset: disabled)
   Active: inactive (dead) since Thu 2020-09-24 16:10:34 UTC; 1h 29min ago
  Process: 44091 ExecStart=/bin/bash /opt/libexec/openshift-azure-routes.sh start (code=exited, status=0/SUCCESS)
 Main PID: 44091 (code=exited, status=0/SUCCESS)
      CPU: 47ms

Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[44091]: processing v4 vip 10.0.0.8
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[44091]: ensuring rule for 10.0.0.8 for internal clients
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[44091]: done applying vip rules
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 47ms CPU time
sh-4.4# journalctl -u openshift-azure-routes               
-- Logs begin at Thu 2020-09-24 15:44:44 UTC, end at Thu 2020-09-24 17:40:10 UTC. --
Sep 24 15:53:28 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 15:53:28 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[1899]: done applying vip rules
Sep 24 15:53:28 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 61ms CPU time
Sep 24 15:57:44 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 15:57:44 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[14270]: processing v4 vip 10.0.0.8
Sep 24 15:57:44 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[14270]: ensuring rule for 10.0.0.8 for internal clients
Sep 24 15:57:44 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[14270]: done applying vip rules
Sep 24 15:57:44 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 51ms CPU time
Sep 24 16:01:12 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 16:01:12 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[23866]: removing stale vip 10.0.0.8 for local clients
Sep 24 16:01:12 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[23866]: done applying vip rules
Sep 24 16:01:12 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 43ms CPU time
Sep 24 16:02:18 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 16:02:18 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[28256]: processing v4 vip 10.0.0.8
Sep 24 16:02:18 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[28256]: ensuring rule for 10.0.0.8 for internal clients
Sep 24 16:02:18 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[28256]: done applying vip rules
Sep 24 16:02:18 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 53ms CPU time
Sep 24 16:08:30 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 16:08:30 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[40284]: removing stale vip 10.0.0.8 for local clients
Sep 24 16:08:30 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[40284]: done applying vip rules
Sep 24 16:08:30 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 43ms CPU time
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: Started Work around Azure load balancer hairpin.
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[44091]: processing v4 vip 10.0.0.8
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[44091]: ensuring rule for 10.0.0.8 for internal clients
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 openshift-azure-routes[44091]: done applying vip rules
Sep 24 16:10:34 ci-ln-2h9bjmk-002ac-mp4xd-master-0 systemd[1]: openshift-azure-routes.service: Consumed 47ms CPU time
```

Comment 16 Micah Abbott 2020-10-01 14:06:01 UTC

No updates for about a week; marking VERIFIED per comment #15

Comment 19 errata-xmlrpc 2020-10-27 16:27:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.