Description of problem: MetalLB + OVNK. Layer 2 mode, the service client tries to hit the service from a network connected to a secondary nic of the host (not br-ex). Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Deploy MetalLB 2. Deploy an application that leverages a service using an ip from the network reacheable from a secondary nic 3. Try to reach the service from a network connected to a secondary nic Actual results: It's not possible to reach the service Expected results: The service is reacheable Additional info:
*** Bug 2038309 has been marked as a duplicate of this bug. ***
Bz verified on dual stack cluster version 4.10.0-fc.2 by QE Networking 1. Create dual stack layer2 AddressPool 2. Create a service [gkopels@ cnf-gotests (metallb-47182-1)]$ oc get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx LoadBalancer 172.30.77.129 10.46.56.131,2620:52:0:2e38::200 80:31186/TCP 44m 3. Create a backend service [gkopels@ cnf-gotests (metallb-47182-1)]$ oc get pods -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx 1/1 Running 0 39m 10.131.0.143 helix13.lab.eng.tlv2.redhat.com <none> <none> 4. On same node as the backend service pod create interface dummy0 [root@helix13 core]# ip a show dummy0 162: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 4a:ad:c2:22:e9:03 brd ff:ff:ff:ff:ff:ff inet 10.100.100.254/24 scope global dummy0 valid_lft forever preferred_lft forever inet6 2620:52:0:2e38::500/64 scope global valid_lft forever preferred_lft forever inet6 fe80::48ad:c2ff:fe22:e903/64 scope link valid_lft forever preferred_lft forever 5. Verify service and announcing node [gkopels@ test_cases]$ oc describe service nginx Name: nginx Namespace: default Labels: <none> Annotations: metallb.universe.tf/address-pool: addresspool2 Selector: app=nginx Type: LoadBalancer IP Family Policy: RequireDualStack IP Families: IPv4,IPv6 IP: 172.30.77.129 IPs: 172.30.77.129,fd02::d24d LoadBalancer Ingress: 10.46.56.131, 2620:52:0:2e38::200 Port: <unset> 80/TCP TargetPort: 80/TCP NodePort: <unset> 31186/TCP Endpoints: 10.131.0.143:80 Session Affinity: None External Traffic Policy: Local HealthCheck NodePort: 30149 Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal IPAllocated 6m15s metallb-controller Assigned IP ["10.46.56.131" "2620:52:0:2e38::200"] Normal nodeAssigned 2s (x2 over 2s) metallb-speaker announcing from node "helix13.lab.eng.tlv2.redhat.com" [gkopels@ test_cases]$ oc describe service nginx Name: nginx Namespace: default Labels: <none> Annotations: metallb.universe.tf/address-pool: addresspool2 Selector: app=nginx Type: LoadBalancer IP Family Policy: RequireDualStack IP Families: IPv4,IPv6 IP: 172.30.77.129 IPs: 172.30.77.129,fd02::d24d LoadBalancer Ingress: 10.46.56.131, 2620:52:0:2e38::200 Port: <unset> 80/TCP TargetPort: 80/TCP NodePort: <unset> 31186/TCP Endpoints: 10.131.0.143:80 Session Affinity: None External Traffic Policy: Local HealthCheck NodePort: 30149 Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal IPAllocated 6m17s metallb-controller Assigned IP ["10.46.56.131" "2620:52:0:2e38::200"] Normal nodeAssigned 4s (x2 over 4s) metallb-speaker announcing from node "helix13.lab.eng.tlv2.redhat.com" 6. Curl external IPv4 with dummy0 as source address curl --interface 10.100.100.254 10.46.56.131 7. Curl external IPv6 with dummy0 as source address curl --interface 2620:52:0:2e38::500 [2620:52:0:2e38::200] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0;
Reran the test with a new IPv6 address on interface dummy0 outside of the IPv6 node IP range. [root@helix13 core]# ip a show dummy0 162: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 4a:ad:c2:22:e9:03 brd ff:ff:ff:ff:ff:ff inet 10.100.100.254/24 scope global dummy0 valid_lft forever preferred_lft forever inet6 2620:52:0:200::500/64 scope global valid_lft forever preferred_lft forever inet6 fe80::48ad:c2ff:fe22:e903/64 scope link valid_lft forever preferred_lft forever [root@helix13 core]# curl --interface 2620:52:0:200::500 [2620:52:0:2e38::200] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } ### AddressPool ### apiVersion: metallb.io/v1beta1 kind: AddressPool metadata: name: addresspool2 namespace: metallb-system spec: protocol: layer2 autoAssign: true addresses: - 10.46.56.131-10.46.56.132 - 2620:52:0:2e38::200-2620:52:0:2e38::400
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056