Bug 2002657 - ovn-kube egress IP monitoring is using a random port over the node network
Summary: ovn-kube egress IP monitoring is using a random port over the node network
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.10.0
Assignee: Patryk Diak
QA Contact: huirwang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-09 12:57 UTC by Dan Winship
Modified: 2022-03-12 04:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-12 04:38:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 796 0 None Merged [DownstreamMerge] Merge 2021-10-13 2021-11-02 12:39:24 UTC
Github openshift ovn-kubernetes pull 834 0 None Merged [DownstreamMerge] Revert revert 2021-11-24 09:50:26 UTC
Github ovn-org ovn-kubernetes pull 2495 0 None Merged Bug 2002657: ovn-kube egress IP monitoring is using a random port over the node network 2021-09-17 07:23:52 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-12 04:38:28 UTC

Description Dan Winship 2021-09-09 12:57:59 UTC
Bug 1942856 mentions the fact that apparently it is currently necessary to open up port 9 between nodes in order for ovn-kubernetes egress IP checking to work. This is not supposed to be required.

The original openshift-sdn code does the pings over the pod network (ie, it pings the remote node's tun0 IP), so all ports are open and the code can use whatever port it wants. (I picked port 9 because it's semantically correct ("discard"), and because I didn't want to connect to a port that might actually have a server on it that would log a message about "received connection"/"connection closed unexpectedly" or whatever every time we pinged.)

ovn-kubernetes's egress IP code, as currently written, is using the node's primary IP rather than its pod-network IP as the ping target, so the traffic goes over the node network, and fails, because most clusters are not going to allow traffic between nodes on port 9.

There are two possible fixes:

  - Change the code to use the nodes' pod-network IPs like openshift-sdn
    does, rather than their node-network IPs

  - Change the port to something which is already open between nodes.
    eg, you could reserve a port in the 9000-9999 range in
    https://github.com/openshift/enhancements/blob/master/dev-guide/host-port-registry.md

Comment 5 zhaozhanqi 2021-11-10 05:48:40 UTC
Move this bug to assign status since the linked PR has been reverted. Please help link the correct PR and update the bug status. thanks.

Comment 6 Patryk Diak 2021-11-24 09:50:26 UTC
https://github.com/openshift/ovn-kubernetes/pull/834 includes the required fixes downstream.

Comment 12 errata-xmlrpc 2022-03-12 04:38:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.