Bug 1947097 - [4.7z] upgrade from ocp 4.5 to 4.6 does not clear SNAT rules on ovn
Summary: [4.7z] upgrade from ocp 4.5 to 4.6 does not clear SNAT rules on ovn
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6.z
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: 4.7.z
Assignee: Tim Rozet
QA Contact: Arti Sood
URL:
Whiteboard:
Depends On: 1943637
Blocks: 1947098
TreeView+ depends on / blocked
 
Reported: 2021-04-07 16:46 UTC by Tim Rozet
Modified: 2021-05-24 17:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1943637
: 1947098 (view as bug list)
Environment:
Last Closed: 2021-05-24 17:14:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 533 0 None open Bug 1947097: [4.7z] Ensure no SNAT on GR for DisableSNATMultipleGws 2021-05-10 19:31:05 UTC
Red Hat Product Errata RHSA-2021:1561 0 None None None 2021-05-24 17:15:10 UTC

Description Tim Rozet 2021-04-07 16:46:39 UTC
+++ This bug was initially created as a clone of Bug #1943637 +++

Description of problem:
Observed that when cluster was upgrade from OCP 4.5.16 to 4.6.17, there appear to be SNAT rules that are not getting removed/cleaned.  Output below is from and OCP 4.5.16. cluster upgraded to OCP 4.6.17

Version-Release number of selected component (if applicable):

OCP 4.6.17
How reproducible:
upgrade from 4.5.16 

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

oc rsh -n  openshift-ovn-kubernetes ovnkube-master-x2tnl
sh-4.4# 

sh-4.4# ovn-nbctl lr-nat-list GR_master-0
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             169.254.33.2                        172.10.0.0/16
sh-4.4# 
sh-4.4# 
sh-4.4# 
sh-4.4# ovn-nbctl lr-nat-list GR_master-1
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             169.254.33.2                        172.10.0.0/16
sh-4.4# 
sh-4.4# 
sh-4.4# ovn-nbctl lr-nat-list GR_master-2
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             169.254.33.2                        172.10.0.0/16
sh-4.4# 
sh-4.4# 
sh-4.4# 
sh-4.4# ovn-nbctl lr-nat-list GR_worker-13
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             169.254.33.2                        172.10.0.0/16
sh-4.4# ovn-nbctl lr-nat-list GR_worker-14
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             169.254.33.2                        172.10.0.0/16

--- Additional comment from Tim Rozet on 2021-03-29 16:21:56 UTC ---

These snat rules are leftover from the "old local gateway" mode when transitioning to the new. The old local gateway mode used br-local bridge with a 169.254.x.x with ovn-k8s-gw0 as the GR. In the new local gw mode (same topology as shared) the GR connects to the shared gw bridge. During this upgrade from 4.5 (old mode) -> 4.6 (new mode) it looks like we are not removing the old snat entry. In 4.6 we deploy new local gateway mode with disable-snat-multiple-gws, which means there should be no subnet wide snat on the GR. The multiple gatways will not be snat'ed so they should not have any SNAT entries. The only thing that may have SNAT entry is egress IP.

Comment 5 errata-xmlrpc 2021-05-24 17:14:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.12 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1561


Note You need to log in before you can comment on or make changes to this bug.