OCPBUGS-3176: Disable global ipv4 and ipv6 forwarding for OVN deployments#3676
Conversation
openshift-ci-robot
added
jira/severity-moderate
|
@trozet: This pull request references Jira Issue OCPBUGS-3176, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @tssurya |
|
/hold want to launch a cluster bot and ensure this works as expected |
openshift-ci
Bot
added
the
do-not-merge/hold
trozet
force-pushed
the
OCPBUGS-3176
branch
2 times, most recently
from
94a6dc3 to
f0978e1
Compare
|
/test e2e-metal-ipi |
|
metal passed without enabling ip forwarding, but that is most likely because the node ip interface == br-ex interface and ovn-kube will enable forwarding on the br-ex interface for us. We need to cover a case where the node ip interface differs from br-ex. For these cases keepalived will use the node ip interface according to @cybertron so we need to make sure node ip enables ip forwarding on those interfaces. Will add one more commit to this PR to take care of that. |
|
/test e2e-metal-ipi |
|
looks to be working...removing hold: |
|
/hold cancel |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
/assign @cybertron |
|
/lgtm This should be fine from an on-prem perspective. |
Enable forwarding globally can cause undesirable effects for customers with their server acting as a router (non-default behavior). OVNK now enables and restricts forwarding on a per managed interface basis. So there is no need to enable this globally anymore. Signed-off-by: Tim Rozet <trozet@redhat.com>
A user or IDE may unsuspectingly add a newline to the end of conditionalized rendered templates that will fail the check to see if there is any data actually to be rendered. Signed-off-by: Tim Rozet <trozet@redhat.com>
Service will configure ip forwarding for the selected node ip interface. Signed-off-by: Tim Rozet <trozet@redhat.com>
|
/assign @sinnykumari |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cybertron, jcaamano, sinnykumari, trozet, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/retest-required |
|
/retest-required |
1 similar comment
|
/retest-required |
|
@trozet: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required |
|
@trozet: Jira Issue OCPBUGS-3176: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-3176 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
With ovn-kubernetes/ovn-kubernetes#3374 and openshift/machine-config-operator#3676 we stopped enabling IP forwarding globally in the OCP host. It is now only enabled on interfaces that OVNK manages. Additionally iptables rules are put in place to limit what traffic is forwarded. This was to resolve an issue where our node by default acts as a router: https://issues.redhat.com/browse/OCPBUGS-3176 With these changes, by default in OCP we will no longer forward IP traffic. Most users should welcome this change as it means the OCP node will not be forwarding traffic unintentionally on their network. However, in case there is some corner case where a user expects traffic to be forwarded we will expose this new config knob to allow them to go back to the old behavior. Signed-off-by: Tim Rozet <trozet@redhat.com>
With ovn-kubernetes/ovn-kubernetes#3374 and openshift/machine-config-operator#3676 we stopped enabling IP forwarding globally in the OCP host. It is now only enabled on interfaces that OVNK manages. Additionally iptables rules are put in place to limit what traffic is forwarded. This was to resolve an issue where our node by default acts as a router: https://issues.redhat.com/browse/OCPBUGS-3176 With these changes, by default in OCP we will no longer forward IP traffic. Most users should welcome this change as it means the OCP node will not be forwarding traffic unintentionally on their network. However, in case there is some corner case where a user expects traffic to be forwarded we will expose this new config knob to allow them to go back to the old behavior. Signed-off-by: Tim Rozet <trozet@redhat.com>
With ovn-kubernetes/ovn-kubernetes#3374 and openshift/machine-config-operator#3676 we stopped enabling IP forwarding globally in the OCP host. It is now only enabled on interfaces that OVNK manages. Additionally iptables rules are put in place to limit what traffic is forwarded. This was to resolve an issue where our node by default acts as a router: https://issues.redhat.com/browse/OCPBUGS-3176 With these changes, by default in OCP we will no longer forward IP traffic. Most users should welcome this change as it means the OCP node will not be forwarding traffic unintentionally on their network. However, in case there is some corner case where a user expects traffic to be forwarded we will expose this new config knob to allow them to go back to the old behavior. Signed-off-by: Tim Rozet <trozet@redhat.com>
With changes to disable IP forwarding by default with OVNK: openshift/machine-config-operator#3676 OVN to SDN migration is now broken, because pods roll out first that require IP forwarding. IP forwarding for SDN is enabled via MCO node rollout, which happens later. This change enables IP forwarding in the SDN pod itself if needed. Signed-off-by: Tim Rozet <trozet@redhat.com>
With openshift/machine-config-operator#3676 we removed globally setting ip forwarding in MCO. We should not be setting it in the default profile for OpenShift. We now set it on a per interface basis as needed. However, by setting proc/sys/net/ipv4/forward rather than (forwarding) it will reset all the values: "This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers)" We suspect this causes upgrade to fail. NTO sets this to 1, which then resets all the per interface config that OVNK wrote. Then during upgrade when there is a tuned profile change, the config change is rolled back so forward is 0, and now there is no connectivity to kapi and upgrade fails. Signed-off-by: Tim Rozet <trozet@redhat.com>
With openshift/machine-config-operator#3676 we removed globally setting ip forwarding in MCO. We should not be setting it in the default profile for OpenShift. We now set it on a per interface basis as needed. However, by setting proc/sys/net/ipv4/forward rather than (forwarding) it will reset all the values: "This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers)" We suspect this causes upgrade to fail. NTO sets this to 1, which then resets all the per interface config that OVNK wrote. Then during upgrade when there is a tuned profile change, the config change is rolled back so forward is 0, and now there is no connectivity to kapi and upgrade fails. Signed-off-by: Tim Rozet <trozet@redhat.com>
|
Fix included in accepted release 4.14.0-0.nightly-2023-09-11-201102 |
|
Fix included in accepted release 4.14.0-0.nightly-2023-09-12-024050 |
|
Fix included in accepted release 4.14.0-0.nightly-2023-09-15-101929 |
8 participants
Enable forwarding globally can cause undesirable effects for customers with their server acting as a router (non-default behavior). OVNK now enables and restricts forwarding on a per managed interface basis. So there is no need to enable this globally anymore.