Bug 2099755
| Summary: | EgressIP node's mgmtIP reachability configuration option | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Mohamed Mahmoud <mmahmoud> |
| Component: | Networking | Assignee: | Mohamed Mahmoud <mmahmoud> |
| Networking sub component: | ovn-kubernetes | QA Contact: | jechen <jechen> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | jechen |
| Version: | 4.11 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-10 11:18:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Mohamed Mahmoud
2022-06-21 16:00:14 UTC
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.0-0.nightly-2022-06-23-153912 True False 4h48m Cluster version is 4.11.0-0.nightly-2022-06-23-153912
$ oc debug node/$(oc -n openshift-network-operator get pod -l name=network-operator -o jsonpath='{.items[0].spec.nodeName}') -- chroot /host bash -c 'sed -i -e "/enable-egress-ip=true/a\ egressip-reachability-total-timeout=10" "/proc/$(pgrep -f [c]luster-network-operator)/root/bindata/network/ovn-kubernetes/self-hosted/004-config.yaml"'
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/jechen-0624a-q9hpw-master-2copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
Removing debug pod ...
$ oc delete -n openshift-ovn-kubernetes cm ovnkube-config
configmap "ovnkube-config" deleted
$ oc -n openshift-ovn-kubernetes get cm
NAME DATA AGE
control-plane-status 1 3h44m
kube-root-ca.crt 1 3h45m
openshift-service-ca.crt 1 3h45m
ovn-ca 1 3h45m
ovn-kubernetes-master 0 3h44m
ovnkube-config 1 28s
signer-ca 1 3h45m
$ oc -n openshift-ovn-kubernetes get cm ovnkube-config -oyaml
apiVersion: v1
data:
ovnkube.conf: |-
[default]
mtu="1360"
cluster-subnets="10.128.0.0/14/23"
encap-port="6081"
enable-lflow-cache=true
lflow-cache-limit-kb=1048576
[kubernetes]
service-cidrs="172.30.0.0/16"
ovn-config-namespace="openshift-ovn-kubernetes"
apiserver="https://api-int.jechen-0624a.qe.gcp.devcluster.openshift.com:6443"
host-network-namespace="openshift-host-network"
platform-type="GCP"
[ovnkubernetesfeature]
enable-egress-ip=true
egressip-reachability-total-timeout=10
enable-egress-firewall=true
enable-egress-qos=true
[gateway]
mode=shared
nodeport=true
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-24T16:47:49Z"
name: ovnkube-config
namespace: openshift-ovn-kubernetes
ownerReferences:
- apiVersion: operator.openshift.io/v1
blockOwnerDeletion: true
controller: true
kind: Network
name: cluster
uid: 118a54e3-d8a2-4602-bbc2-eed1f824cb84
resourceVersion: "100006"
uid: d8f352db-db59-453b-ba9e-71f238075b9f
# However, if I configure egressip-reachability-total-timeout to 5 using same commands above, I got two entries in ovnkube-config, is this correct?
$ oc -n openshift-ovn-kubernetes get cm ovnkube-config -oyaml
apiVersion: v1
data:
ovnkube.conf: |-
[default]
mtu="1360"
cluster-subnets="10.128.0.0/14/23"
encap-port="6081"
enable-lflow-cache=true
lflow-cache-limit-kb=1048576
[kubernetes]
service-cidrs="172.30.0.0/16"
ovn-config-namespace="openshift-ovn-kubernetes"
apiserver="https://api-int.jechen-0624a.qe.gcp.devcluster.openshift.com:6443"
host-network-namespace="openshift-host-network"
platform-type="GCP"
[ovnkubernetesfeature]
enable-egress-ip=true
egressip-reachability-total-timeout=5
egressip-reachability-total-timeout=10
enable-egress-firewall=true
enable-egress-qos=true
[gateway]
mode=shared
nodeport=true
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-24T18:12:55Z"
name: ovnkube-config
namespace: openshift-ovn-kubernetes
ownerReferences:
- apiVersion: operator.openshift.io/v1
blockOwnerDeletion: true
controller: true
kind: Network
name: cluster
uid: 118a54e3-d8a2-4602-bbc2-eed1f824cb84
resourceVersion: "129763"
uid: e4ffce14-0265-4e91-a04d-e8c5e05d8504
checked with Mohamed Mahmoud, this bug is about being able to configure egressip-reachability-total-timeout, seeing two entries after two configuration is correct. Will verify egressIP with egressip-reachability-total-timeout configured when his API PR https://github.com/openshift/api/pull/1210 is merged Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |