Bug 2031012 - Services of type loadbalancer do not work if the traffic reaches the node from an interface different from br-ex
Summary: Services of type loadbalancer do not work if the traffic reaches the node fro...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.0
Assignee: Federico Paolinelli
QA Contact: Arti Sood
URL:
Whiteboard:
: 2038309 (view as bug list)
Depends On:
Blocks: 2040594
TreeView+ depends on / blocked
 
Reported: 2021-12-10 10:02 UTC by Federico Paolinelli
Modified: 2023-09-15 01:18 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2040594 (view as bug list)
Environment:
Last Closed: 2022-03-10 16:32:55 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 888 0 None Merged Bug 2031012: Create iptables NAT rules also for loadbalancer services 2022-02-07 21:25:14 UTC
Github ovn-org ovn-kubernetes pull 2705 0 None Merged Create iptables NAT rules also for loadbalancer services 2022-02-07 21:25:10 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:33:08 UTC

Description Federico Paolinelli 2021-12-10 10:02:14 UTC
Description of problem:

MetalLB + OVNK.
Layer 2 mode, the service client tries to hit the service from a network connected to a secondary nic of the host (not br-ex).

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Deploy MetalLB
2. Deploy an application that leverages a service using an ip from the network reacheable from a secondary nic
3. Try to reach the service from a network connected to a secondary nic

Actual results:
It's not possible to reach the service

Expected results:
The service is reacheable

Additional info:

Comment 4 Mohamed Mahmoud 2022-01-07 21:03:55 UTC
*** Bug 2038309 has been marked as a duplicate of this bug. ***

Comment 25 Greg Kopels 2022-02-09 13:22:56 UTC
Bz verified on dual stack cluster version 4.10.0-fc.2 by QE Networking

1. Create dual stack layer2 AddressPool

2. Create a service
[gkopels@ cnf-gotests (metallb-47182-1)]$ oc get service
NAME         TYPE           CLUSTER-IP      EXTERNAL-IP                            PORT(S)        AGE
nginx        LoadBalancer   172.30.77.129   10.46.56.131,2620:52:0:2e38::200       80:31186/TCP   44m

3. Create a backend service

[gkopels@ cnf-gotests (metallb-47182-1)]$ oc get pods -owide
NAME    READY   STATUS    RESTARTS   AGE   IP             NODE                              NOMINATED NODE   READINESS GATES
nginx   1/1     Running   0          39m   10.131.0.143   helix13.lab.eng.tlv2.redhat.com   <none>           <none>

4. On same node as the backend service pod create interface dummy0

[root@helix13 core]# ip a show dummy0
162: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 4a:ad:c2:22:e9:03 brd ff:ff:ff:ff:ff:ff
    inet 10.100.100.254/24 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 2620:52:0:2e38::500/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::48ad:c2ff:fe22:e903/64 scope link
       valid_lft forever preferred_lft forever

5. Verify service and announcing node

[gkopels@ test_cases]$ oc describe service nginx
Name:                     nginx
Namespace:                default
Labels:                   <none>
Annotations:              metallb.universe.tf/address-pool: addresspool2
Selector:                 app=nginx
Type:                     LoadBalancer
IP Family Policy:         RequireDualStack
IP Families:              IPv4,IPv6
IP:                       172.30.77.129
IPs:                      172.30.77.129,fd02::d24d
LoadBalancer Ingress:     10.46.56.131, 2620:52:0:2e38::200
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  31186/TCP
Endpoints:                10.131.0.143:80
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     30149
Events:
  Type    Reason        Age              From                Message
  ----    ------        ----             ----                -------
  Normal  IPAllocated   6m15s            metallb-controller  Assigned IP ["10.46.56.131" "2620:52:0:2e38::200"]
  Normal  nodeAssigned  2s (x2 over 2s)  metallb-speaker     announcing from node "helix13.lab.eng.tlv2.redhat.com"
[gkopels@ test_cases]$ oc describe service nginx
Name:                     nginx
Namespace:                default
Labels:                   <none>
Annotations:              metallb.universe.tf/address-pool: addresspool2
Selector:                 app=nginx
Type:                     LoadBalancer
IP Family Policy:         RequireDualStack
IP Families:              IPv4,IPv6
IP:                       172.30.77.129
IPs:                      172.30.77.129,fd02::d24d
LoadBalancer Ingress:     10.46.56.131, 2620:52:0:2e38::200
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  31186/TCP
Endpoints:                10.131.0.143:80
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     30149
Events:
  Type    Reason        Age              From                Message
  ----    ------        ----             ----                -------
  Normal  IPAllocated   6m17s            metallb-controller  Assigned IP ["10.46.56.131" "2620:52:0:2e38::200"]
  Normal  nodeAssigned  4s (x2 over 4s)  metallb-speaker     announcing from node "helix13.lab.eng.tlv2.redhat.com"

  6. Curl external IPv4 with dummy0 as source address

  curl --interface 10.100.100.254 10.46.56.131

  7. Curl external IPv6 with dummy0 as source address

  curl --interface 2620:52:0:2e38::500 [2620:52:0:2e38::200]


  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
        <title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <style type="text/css">
            /*<![CDATA[*/
            body {
                background-color: #fff;
                color: #000;
                font-size: 0.9em;
                font-family: sans-serif,helvetica;
                margin: 0;
                padding: 0;

Comment 26 Greg Kopels 2022-02-09 13:55:48 UTC
Reran the test with a new IPv6 address on interface dummy0 outside of the IPv6 node IP range.

[root@helix13 core]# ip a show dummy0
162: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 4a:ad:c2:22:e9:03 brd ff:ff:ff:ff:ff:ff
    inet 10.100.100.254/24 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 2620:52:0:200::500/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::48ad:c2ff:fe22:e903/64 scope link 
       valid_lft forever preferred_lft forever

[root@helix13 core]# curl --interface 2620:52:0:200::500 [2620:52:0:2e38::200]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
        <title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <style type="text/css">
            /*<![CDATA[*/
            body {
                background-color: #fff;
                color: #000;
                font-size: 0.9em;
                font-family: sans-serif,helvetica;
                margin: 0;
                padding: 0;
            }


### AddressPool ###

apiVersion: metallb.io/v1beta1
kind: AddressPool
metadata:
  name: addresspool2
  namespace: metallb-system
spec:
  protocol: layer2
  autoAssign: true
  addresses:
    - 10.46.56.131-10.46.56.132
    - 2620:52:0:2e38::200-2620:52:0:2e38::400

Comment 31 errata-xmlrpc 2022-03-10 16:32:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Comment 32 Red Hat Bugzilla 2023-09-15 01:18:03 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.