Description of problem: arp response would be sent from every chassis when send arp request to external id in nat on external network Version-Release number of selected component (if applicable): ovn20.06.2-4 How reproducible: Always Steps to Reproduce: 1. install podman-docker on rhel8 2. clone ovn-fake-multinode: git clone https://github.com/ovn-org/ovn-fake-multinode.git 3. install python3: yum install python3 -y 4. install podman registry: mkdir /var/lib/registry -p podman run --privileged -d --name registry -p 5000:5000 -v /var/lib/registry:/var/lib/registry --restart=always docker.io/library/registry:2 cat > /etc/containers/registries.conf << EOF [registries.search] registries = ['registry.access.redhat.com', 'registry.redhat.io'] [registries.insecure] registries = ['localhost:5000'] [registries.block] registries = [] EOF 5. download openvswitch,openvswitch-selinux-extra-policy and ovn packages into ovn-fake-multinode wget http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch-selinux-extra-policy/1.0/23.el8fdp/noarch/openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch.rpm wget http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch2.13/2.13.0/58.el8fdp/x86_64/openvswitch2.13-2.13.0-58.el8fdp.x86_64.rpm wget http://download-node-02.eng.bos.redhat.com/brewroot/packages/ovn2.13/20.06.2/4.el8fdp/x86_64/ovn2.13-20.06.2-4.el8fdp.x86_64.rpm wget http://download-node-02.eng.bos.redhat.com/brewroot/packages/ovn2.13/20.06.2/4.el8fdp/x86_64/ovn2.13-central-20.06.2-4.el8fdp.x86_64.rpm wget http://download-node-02.eng.bos.redhat.com/brewroot/packages/ovn2.13/20.06.2/4.el8fdp/x86_64/ovn2.13-host-20.06.2-4.el8fdp.x86_64.rpm 6. build images OS_IMAGE=registry.access.redhat.com/ubi8/ubi:8.2 ./ovn_cluster.sh build 7. install openvswitch on host and start ovs: /usr/share/openvswitch/scripts/ovs-ctl --system-id=testovn start 8. start setup ovn chassis ./ovn_cluster.sh start 9. send arp ip netns exec ovnfake-ext arping 172.16.0.100 -c1 Actual results: [root@wsfd-advnetlab17 ovn-fake-multinode]# sudo ip netns exec ovnfake-ext arping 172.16.0.100 -c1 ARPING 172.16.0.100 from 172.16.0.50 ovnfake-ext Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 1.477ms Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 1.779ms Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 1.833ms Sent 1 probes (1 broadcast(s)) Received 3 response(s) <==== get 3 responses Expected results: should only get one response Additional info: after delete nat: docker exec -t ovn-central ovn-nbctl lr-nat-del lr0 snat 10.0.0.0/24 docker exec -t ovn-central ovn-nbctl lr-nat-del lr0 snat 20.0.0.0/24 get only one response: [root@wsfd-advnetlab17 ovn-fake-multinode]# sudo ip netns exec ovnfake-ext arping 172.16.0.100 -c1 ARPING 172.16.0.100 from 172.16.0.50 ovnfake-ext Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 3.391ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) [root@wsfd-advnetlab17 ~]# docker exec -t ovn-central rpm -qa | grep -E "openvswitch|ovn" Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-central-20.06.2-4.el8fdp.x86_64 ovn2.13-20.06.2-4.el8fdp.x86_64 openvswitch2.13-2.13.0-58.el8fdp.x86_64 ovn2.13-host-20.06.2-4.el8fdp.x86_64
the issue doesn't occur on 20.F 20.06.1-6: [root@wsfd-advnetlab17 ~]# docker exec -t ovn-central rpm -qa | grep -E "openvswitch|ovn" Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-central-20.06.1-6.el8fdp.x86_64 ovn2.13-20.06.1-6.el8fdp.x86_64 openvswitch2.13-2.13.0-58.el8fdp.x86_64 ovn2.13-host-20.06.1-6.el8fdp.x86_64 [root@wsfd-advnetlab17 ~]# docker exec -t ovn-central ovn-nbctl lr-nat-list lr0 Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT dnat_and_snat 172.16.0.110 10.0.0.3 30:54:00:00:00:03 sw0-port1 dnat_and_snat 172.16.0.120 20.0.0.3 30:54:00:00:00:04 sw1-port1 dnat_and_snat 3000::c 1000::3 40:54:00:00:00:03 sw0-port1 dnat_and_snat 3000::d 2000::3 40:54:00:00:00:04 sw1-port1 snat 172.16.0.100 10.0.0.0/24 snat 172.16.0.100 20.0.0.0/24 [root@wsfd-advnetlab17 ovn-fake-multinode]# sudo ip netns exec ovnfake-ext arping 172.16.0.100 -c1 ARPING 172.16.0.100 from 172.16.0.50 ovnfake-ext Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 1.785ms Sent 1 probes (1 broadcast(s)) Received 1 response(s)
Verified on ovn20.06.2-11: [root@wsfd-advnetlab16 scenario]# ip netns exec ovnfake-ext arping 172.16.0.100 -c1 ARPING 172.16.0.100 from 172.16.0.50 ovnfake-ext Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 1.628ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) [root@wsfd-advnetlab16 scenario]# docker exec -it ovn-central rpm -qa | grep -E "openvswitch|ovn" Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-central-20.06.2-11.el8fdp.x86_64 ovn2.13-20.06.2-11.el8fdp.x86_64 openvswitch2.13-2.13.0-59.el8fdp.x86_64 ovn2.13-host-20.06.2-11.el8fdp.x86_64
Verified on fdp7: :: [ 23:31:52 ] :: [ BEGIN ] :: Running 'docker exec -it ovn-central rpm -qa | grep -E "openvswitch|ovn"' openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch ovn2.13-central-20.06.2-11.el7fdp.x86_64 ovn2.13-20.06.2-11.el7fdp.x86_64 openvswitch2.13-2.13.0-48.el7fdp.x86_64 ovn2.13-host-20.06.2-11.el7fdp.x86_64 :: [ 23:31:53 ] :: [ BEGIN ] :: Running 'ip netns exec ovnfake-ext arping 172.16.0.100 -c1 | tee arping.log' ARPING 172.16.0.100 from 172.16.0.50 ovnfake-ext Unicast reply from 172.16.0.100 [00:00:20:20:12:13] 1.781ms Sent 1 probes (1 broadcast(s)) Received 1 response(s)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4356