Bug 2026665 - Unable to ssh to a VM when running with Service Mesh
Summary: Unable to ssh to a VM when running with Service Mesh
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Networking
Version: 4.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.10.0
Assignee: Radim Hrazdil
QA Contact: Adi Zavalkovsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-25 13:08 UTC by Radim Hrazdil
Modified: 2022-03-16 15:57 UTC (History)
2 users (show)

Fixed In Version: virt-handler v4.10.0-197
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-16 15:57:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt kubevirt pull 6923 0 None open Istio: Fix ssh traffic forwarding to VMIs with Istio proxy 2022-01-06 13:10:32 UTC
Github kubevirt kubevirt pull 7042 0 None Merged [release-0.49] Istio: Fix ssh traffic forwarding to VMIs with Istio proxy 2022-01-20 10:30:31 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:57:17 UTC

Description Radim Hrazdil 2021-11-25 13:08:17 UTC
Description of problem:

Service mesh doesn't proxy traffic destined to port 22:
chain ISTIO_INBOUND {
       ...
       meta l4proto tcp tcp dport 22 counter packets 7 bytes 420 return
       ...
}


This causes SSH connection to not be DNATed to the VM.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Create a VM with enabled Istio 
2. Connect to the VM using SSH
3.

Actual results:
ssh connection fails

Expected results:
ssh connection should work


Additional info:

This doesn't affect ssh when using kubectl port-forward.

Comment 1 Radim Hrazdil 2021-11-25 13:14:03 UTC
Current workaround could be to configure SSH to any other port, ie. 2222.


As a solution we may add a rule to dnat traffic to port 22 to KUBEVIRT_PREINBOUND chain.
In touch with Istio community to better understand the purpose of excluding the port 22

Comment 3 Petr Horáček 2022-01-20 10:30:31 UTC
We will not fix this SSH issue in 4.9. It would require a complicated backport to 3 upstream branches. Service Mesh on 4.9 can be still tried out in tech preview mode. If SSH would be needed, it can be configured to run on a different port.

Comment 4 Petr Horáček 2022-01-24 09:05:19 UTC
Reusing this tracker for 4.10 backport

Comment 5 Adi Zavalkovsky 2022-01-24 10:04:24 UTC
Verified. OCP version 4.10. virt-handler v4.10.0-197.

Deployed a vm with an istio-proxy container, and a svc directed to port 22.
Connecting to the VM with ssh via the svc works as expected.

Comment 10 errata-xmlrpc 2022-03-16 15:57:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0947


Note You need to log in before you can comment on or make changes to this bug.