Bug 1887456 - It is impossible to attach the default NIC to a bridge with the latest version of OVN Kubernetes
Summary: It is impossible to attach the default NIC to a bridge with the latest versio...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Tim Rozet
QA Contact: Ross Brattain
Depends On:
Blocks: 1885605 1889309 1893160
TreeView+ depends on / blocked
Reported: 2020-10-12 14:16 UTC by Petr Horáček
Modified: 2023-09-15 00:49 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OVN-Kubernetes takes the default gateway interface on the host and moves it into an OVS bridge called "br-ex". This bridge is primarily used to share the physical NIC of the host with the host network stack as well as OVN. However, there was no accommodation for anything else attaching and using the br-ex bridge (like CNV). Consequence: Attaching another interface to br-ex, such as a veth pair to a linux bridge or some other internal interface would not function correctly. Traffic would not egress/ingress as expected from the br-ex bridge to the newly added interface. Fix: OpenFlow programmed by OVN-Kubernetes has been fixed to normally switch traffic that does not belong to OVN or the host. Result: Attaching a new interface to br-ex will function the same as it would any normal switch such as a linux bridge.
Clone Of:
: 1889309 (view as bug list)
Last Closed: 2021-02-24 15:25:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 357 0 None closed Bug 1887456: 11-20-2020 merge 2021-02-18 17:05:15 UTC
Github ovn-org ovn-kubernetes pull 1774 0 None closed Fix shared gateway flood/normal behavior 2021-02-18 17:05:15 UTC
Github ovn-org ovn-kubernetes pull 1843 0 None closed Changes local gateway flows to NORMAL action 2021-02-18 17:05:14 UTC
Red Hat Bugzilla 1885605 0 high CLOSED It is not possible to reconfigure node's default interface using NodeNetworkConfigurationPolicy when OVN Kubernetes is u... 2023-12-14 16:07:19 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:25:56 UTC

Description Petr Horáček 2020-10-12 14:16:21 UTC
Description of problem:

When users have only a single NIC available on their nodes, they can use this NIC for both the default network and for a secondary L2 network. To allow that we configure a linux bridge on top of the NIC and move the original IP of the NIC on top of the bridge. That way, this network can be still used by the default SDN while also utilized for secondary L2 connections.

With a recent change of the gateway mode in OVN Kubernetes, the default NIC of a host is now attached to an OVS bridge "br-ex". Due to this, users and unable to use their primary network for bridging and providing L2 connectivity for their VMs/Pods. This kind of topology was possible in 4.5 and this bug will break upgrade and use for some of our users. 

Find more info and suggested solutions in a bug that was opened on OpenShift Virtualization to track this regression https://bugzilla.redhat.com/show_bug.cgi?id=1885605. Opening this new BZ to track the resolution on OVN Kubernetes side.

Version-Release number of selected component (if applicable):
OCP 4.6

How reproducible:

Steps to Reproduce:
1. Deploy cluster with OVN Kubernetes
2. Try to configure Linux bridge on top of the default NIC

Actual results:
This fails since the NIC is now attached to OVN Kubernetes' br-ex.

Expected results:
User should be able to reconfigure the default interface. E.g. attach it to a Linux bridge to allow L2 connections to the default network work Pods and VMs.

Comment 3 Tim Rozet 2020-11-16 15:09:39 UTC
Shared gw fix is merged into 4.7. Testing local gateway fix that will be required for 4.6 backport:

Comment 4 Tim Rozet 2020-11-16 15:12:27 UTC
Note, the solution to this bug will be to allow other applications on the host to attach a port to br-ex (shared bridge) and traffic will flow normally over it like a regular L2 bridge. OVN-K8S will still take the NIC and move it onto the br-ex bridge at install time. Then CNV or any other application can simply attach to br-ex with an OVS patch port (if connectint to another OVS bridge) or create a veth pair to attach a linux bridge or something else.

Comment 6 Anurag saxena 2020-12-01 19:16:48 UTC
@rbrattai Can you help looking at this?

Comment 7 Ross Brattain 2020-12-05 06:17:09 UTC
Verified on 4.7.0-0.nightly-2020-12-03-083300 on OpenStack

Created veth pair, attached to Linux bridge, tcpdumped and saw MDNS traffic from all the other nodes in the cluster.

ip link add v1 type veth peer v2
ip l s v1 up
ip l s v2 up
ip link add name br-0 type bridge
ip link set br-0 up
ip link set v2 master br-0
ovs-vsctl add-port br-ex v1

Comment 10 errata-xmlrpc 2021-02-24 15:25:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 11 Red Hat Bugzilla 2023-09-15 00:49:32 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.