Bug 2111534 - [OVNK] Conntrack Rules are removed before the service rules/flows
Summary: [OVNK] Conntrack Rules are removed before the service rules/flows
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.12.0
Assignee: Surya Seetharaman
QA Contact: Weibin Liang
Depends On:
Blocks: 2111548
TreeView+ depends on / blocked
Reported: 2022-07-27 12:59 UTC by Surya Seetharaman
Modified: 2023-01-17 19:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2111548 (view as bug list)
Last Closed: 2023-01-17 19:53:34 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 1214 0 None Merged Bug 2111534: Downstream Merge: 27-07-2022 2022-09-01 18:00:07 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:54:01 UTC

Description Surya Seetharaman 2022-07-27 12:59:46 UTC
Description of problem:

When we fixed https://bugzilla.redhat.com/show_bug.cgi?id=2053609, we ended up deleting the conntrack entries for services before the service flows and iptable rules were removed.

To be safer, removing conntrack entries should be done after the service flows and rules to ensure the entries don't get recreated.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 Weibin Liang 2022-08-17 19:29:51 UTC
Comparing verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=2053609#c14, can not see the entry with the dnat from externalIP/ to clusterIP/ in 4.12.0-0.nightly-2022-08-15-150248.

[weliang@weliang ~]$ oc get all -o wide -n test-sctp
NAME             READY   STATUS    RESTARTS   AGE     IP            NODE                              NOMINATED NODE   READINESS GATES
pod/sctpclient   1/1     Running   0          5h36m   weliang-817a-w4wnl-worker-9d8ks   <none>           <none>
pod/sctpserver   1/1     Running   0          5h36m    weliang-817a-w4wnl-worker-nqz6f   <none>           <none>

NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)            AGE     SELECTOR
service/sctpservice   LoadBalancer   30102:30741/SCTP   5h36m   name=sctpserver
[weliang@weliang ~]$ 

## streaming traffic and checking entries simultaneously

[weliang@weliang ~]$ oc debug node/weliang-817a-w4wnl-worker-9d8ks
sh-4.4# chroot /host
sh-4.4# conntrack -E -p sctp 
    [NEW] sctp     132 3 src= dst= sport=40919 dport=30102 [UNREPLIED] src= dst= sport=30102 dport=40919 mark=2 zone=24
^Cconntrack v1.4.4 (conntrack-tools): 2 flow events have been shown.

Comment 3 Surya Seetharaman 2022-09-01 18:00:58 UTC
Working with Weibin on this one, we were doing wrong verification steps so the previous message can be ignored.

Comment 4 Weibin Liang 2022-09-01 18:11:01 UTC
Verified in 4.12.0-0.nightly-2022-08-31-101631 after checking conntrack entry in the correct node.
Thanks Surya for helping the debugging the issue.

Comment 7 errata-xmlrpc 2023-01-17 19:53:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.