-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EgressSeparateSubnet feature doesn't work on OCP v4.15 #6546
Comments
The feature |
I did some troubleshooting on OCP4.16 env, I found that the value updated by Antrea should be reset by OpenShift cluster node tuning operator. According to official OCP docs https://docs.openshift.com/container-platform/4.13/nodes/containers/nodes-containers-sysctls.html#namespaced-and-node-level-sysctls and https://docs.openshift.com/container-platform/4.16/scalability_and_performance/using-node-tuning-operator.html#advanced-node-tuning-hosted-cluster_node-tuning-operator, users can update node level sysctl via 'Node Tuning Operator', but unfortunately, it doesn't work well when the interface name includes dot (e.g. antrea-ext.10). I have created an issue in the operator repo openshift/cluster-node-tuning-operator#1128 to track this problem. For now, I think we may consider to add a known issue section for EgressSeparateSubnet on OCP until the issue is fixed. |
@luolanzone could it work if you use the operator to set |
yes, I tried and the all.rp_filter can be updated, I guess we can choose this as an alternative solution to let users to change the default rp_filter to 2 in OCP? But I think it need to be done before Antrea is installed. When the antrea-ext.10 already exists, the value won't be impacted by the new all.rp_filter. I can verify if there is a way to update the default one to 2. |
It doesn't need to. See https://sysctl-explorer.net/net/ipv4/rp_filter/
I think we can document the workaround. |
Ah, got it, I will check and update a workaround for this. Thanks for the info. |
A document with a workaround is merged: #6622 |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days. You can add a label "lifecycle/frozen" to skip stale checking. |
Describe the bug
Hi,
I deployed an OCP testbed with version 4.15, and enabled feature "EgressSeparateSubnet". After I deployed the Egress IPPool and Egress CRs, I found that the traffic doesn't work. After capturing packets, we found that the request is successfully sent to the Egress Node, but not entering OVS pipeline from the tunnel port.
After checking with syctl configurations, it shows that the rp_filter value is "1" on the NIC antrea-ext.$vlan_id, which is not using the expected value "2". From antrea-agent log, it shows that this logic is supposed to run successfully, because we didn't find the related error reports in the logs.
To Reproduce
Expected
Actual behavior
Versions:
Additional context
The text was updated successfully, but these errors were encountered: