Bug 1959786 - [dualstack]EgressIP doesn't work on dualstack cluster for IPv6
Summary: [dualstack]EgressIP doesn't work on dualstack cluster for IPv6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.8.0
Assignee: Alexander Constantinescu
QA Contact: huirwang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-12 11:06 UTC by huirwang
Modified: 2021-07-27 23:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:08:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:08:18 UTC

Description huirwang 2021-05-12 11:06:22 UTC 
Description of problem:
EgressIP doesn't work on dualstack cluster for IPv6

Version-Release number of selected component (if applicable):
4.7.0-0.nightly-2021-05-05-092347

How reproducible:
Always

Steps to Reproduce:
1. Label two nodes as EgressIP nodes
2. Create EgressIP object with an IPv6 address
 oc get egressip egressip-1 -o yaml
 ......
 spec:
  egressIPs:
  - 2620:52:0:4974:bc68:e2bc:4b6d:5dc3
  namespaceSelector:
    matchLabels:
      name: test
  podSelector: {}
status:
  items:
  - egressIP: 2620:52:0:4974:bc68:e2bc:4b6d:5dc3
    node: dell-per740-14.rhts.eng.pek2.redhat.com
........

3. Create a namespace test and a pod in it.
oc get pods -n test -o wide
NAME        READY   STATUS    RESTARTS   AGE    IP            NODE                                      NOMINATED NODE   READINESS GATES
hello-pod   1/1     Running   0          168m   10.131.0.95   dell-per740-35.rhts.eng.pek2.redhat.com   <none>           <none>
4. Label test with name=test
oc get ns test --show-labels
NAME   STATUS   AGE    LABELS
test   Active   175m   name=test

5. From the pod under project test, try to ping another host ipv6 address. This host is not cluster node.
 oc rsh -n test hello-pod
 / # ping 2620:52:0:4974:def4:1ff:fee7:8144
PING 2620:52:0:4974:def4:1ff:fee7:8144(2620:52:0:4974:def4:1ff:fee7:8144) 56 data bytes
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=1 ttl=63 time=3.82 ms
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=2 ttl=63 time=1.78 ms
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=3 ttl=63 time=0.603 ms
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=4 ttl=63 time=0.534 ms
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=5 ttl=63 time=0.484 ms
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=6 ttl=63 time=0.540 ms
64 bytes from 2620:52:0:4974:def4:1ff:fee7:8144: icmp_seq=7 ttl=63 time=0.622 ms

Meantime, try to capture packets from node dell-per740-35.rhts.eng.pek2.redhat.com(pod's located node)  and dell-per740-14.rhts.eng.pek2.redhat.com(EgressIP node)

Actual Results:
We can see the packets going out by the pod's located node, but not EgressIP node.
oc debug node/dell-per740-35.rhts.eng.pek2.redhat.com
Creating debug namespace/openshift-debug-node-xd7g8 ...
Starting pod/dell-per740-35rhtsengpek2redhatcom-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.73.116.54
If you don't see a command prompt, try pressing enter.
sh-4.4# tcpdump -i eno1 host 2620:52:0:4974:def4:1ff:fee7:8144
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-ex, link-type EN10MB (Ethernet), capture size 262144 bytes
08:58:13.990850 IP6 dell-per740-35.rhts.eng.pek2.redhat.com > 2620:52:0:4974:def4:1ff:fee7:8144: ICMP6, echo request, seq 1, length 64
08:58:13.991522 IP6 2620:52:0:4974:def4:1ff:fee7:8144 > dell-per740-35.rhts.eng.pek2.redhat.com: ICMP6, echo reply, seq 1, length 64
08:58:14.991089 IP6 dell-per740-35.rhts.eng.pek2.redhat.com > 2620:52:0:4974:def4:1ff:fee7:8144: ICMP6, echo request, seq 2, length 64
08:58:14.991327 IP6 2620:52:0:4974:def4:1ff:fee7:8144 > dell-per740-35.rhts.eng.pek2.redhat.com: ICMP6, echo reply, seq 2, length 64
08:58:15.991014 IP6 dell-per740-35.rhts.eng.pek2.redhat.com > 2620:52:0:4974:def4:1ff:fee7:8144: ICMP6, echo request, seq 3, length 64
08:58:15.991249 IP6 2620:52:0:4974:def4:1ff:fee7:8144 > dell-per740-35.rhts.eng.pek2.redhat.com: ICMP6, echo reply, seq 3, length 64
08:58:17.052029 IP6 dell-per740-35.rhts.eng.pek2.redhat.com > 2620:52:0:4974:def4:1ff:fee7:8144: ICMP6, echo request, seq 4, length 64
08:58:17.052257 IP6 2620:52:0:4974:def4:1ff:fee7:8144 > dell-per740-35.rhts.eng.pek2.redhat.com: ICMP6, echo reply, seq 4, length 64

Expected:
EgressIP works with IPv6 address.

Note: Tested IPv4 with same way, it worked. 10.73.116.201 is configured IPv4 EgressIP and EgressIP node is dell-per740-13.rhts.eng.pek2.redhat.com 
oc get egressip
NAME         EGRESSIPS                            ASSIGNED NODE                             ASSIGNED EGRESSIPS
egressip-1   2620:52:0:4974:bc68:e2bc:4b6d:5dc3   dell-per740-14.rhts.eng.pek2.redhat.com   2620:52:0:4974:bc68:e2bc:4b6d:5dc3
egressip-2   10.73.116.201                        dell-per740-13.rhts.eng.pek2.redhat.com   10.73.116.201

Captured packets on EgressIP node dell-per740-13.rhts.eng.pek2.redhat.com 
sh-4.4# tcpdump -i eno1 host 10.73.116.56 and icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:59:18.502340 IP vm-116-201.rhts.eng.pek2.redhat.com > dell-per740-36.rhts.eng.pek2.redhat.com: ICMP echo request, id 14, seq 1, length 64
10:59:18.502546 IP dell-per740-36.rhts.eng.pek2.redhat.com > vm-116-201.rhts.eng.pek2.redhat.com: ICMP echo reply, id 14, seq 1, length 64
10:59:19.502591 IP vm-116-201.rhts.eng.pek2.redhat.com > dell-per740-36.rhts.eng.pek2.redhat.com: ICMP echo request, id 14, seq 2, length 64
10:59:19.502775 IP dell-per740-36.rhts.eng.pek2.redhat.com > vm-116-201.rhts.eng.pek2.redhat.com: ICMP echo reply, id 14, seq 2, length 64
10:59:20.502606 IP vm-116-201.rhts.eng.pek2.redhat.com > dell-per740-36.rhts.eng.pek2.redhat.com: ICMP echo request, id 14, seq 3, length 64
10:59:20.502791 IP dell-per740-36.rhts.eng.pek2.redhat.com > vm-116-201.rhts.eng.pek2.redhat.com: ICMP echo reply, id 14, seq 3, length 64
10:59:21.564333 IP vm-116-201.rhts.eng.pek2.redhat.com > dell-per740-36.rhts.eng.pek2.redhat.com: ICMP echo request, id 14, seq 4, length 64
10:59:21.564520 IP dell-per740-36.rhts.eng.pek2.redhat.com > vm-116-201.rhts.eng.pek2.redhat.com: ICMP echo reply, id 14, seq 4, length 64
10:59:22.592221 IP vm-116-201.rhts.eng.pek2.redhat.com > dell-per740-36.rhts.eng.pek2.redhat.com: ICMP echo request, id 14, seq 5, length 64
10:59:22.592403 IP dell-per740-36.rhts.eng.pek2.redhat.com > vm-116-201.rhts.eng.pek2.redhat.com: ICMP echo reply, id 14, seq 5, length 64
Comment 5 errata-xmlrpc 2021-07-27 23:08:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.