Re: Egress IP (tech preview feature) Q

Mon, 08 Jan 2018 22:19:26 -0800 

Maybe the iptables or openflow was corrupt on your env
can you check on the node *10.160.67.128*, if there is an openflow rule like:
table=100, priority=100,ip,reg0=0xXXXXXX actions=set_field:xx:xx:xx:xx:xx:xx->eth_dst,set_field:0xXXXXXXX->pkt_mark,goto_table:101 

and the following iptables rule exists?
nat table: OPENSHIFT-MASQUERADE -s 10.128.0.0/14 -m mark --mark 0xXXXXXXX -j SNAT --to-source 10.160.67.253 



On 01/09/2018 02:14 AM, Aditya Somasundara wrote:
Removed the IP from 10.160.67.192, rebooted all the nodes and still don't see the NATing happening: 

[root@localhost ~]# oc get hostsubnet
NAME            HOST            HOST IP         SUBNET       EGRESS IPS
*10.160.67.128 *10.160.67.128   10.160.67.128 10.130.0.0/23 <http://10.130.0.0/23> * [10.160.67.253]* 10.160.67.192   10.160.67.192   10.160.67.192 10.129.0.0/23 <http://10.129.0.0/23>  [] 10.160.67.64    10.160.67.64    10.160.67.64 10.128.0.0/23 <http://10.128.0.0/23>  [] 

curl
*10.160.67.128* - - [08/Jan/2018 18:10:47] "GET / HTTP/1.1" 200 -
On Sun, Jan 7, 2018 at 6:48 PM, bmeng <[email protected] <mailto:[email protected]>> wrote: 

    Hi,

    Your problem is you had set the same EgressIP to multiple hosts.
    The EgressIP will not SNAT the egress traffic if it appears in
    multiple hosts.

    [root@localhost ~]# oc get hostsubnet
    NAME            HOST            HOST IP  SUBNET          EGRESS IPS
    10.160.67.128   10.160.67.128   10.160.67.128 10.130.0.0/23
    <http://10.130.0.0/23> *[10.160.67.253]*
    10.160.67.192   10.160.67.192   10.160.67.192 10.129.0.0/23
    <http://10.129.0.0/23> *[10.160.67.253]*
    10.160.67.64    10.160.67.64    10.160.67.64 10.128.0.0/23
    <http://10.128.0.0/23>   []

    Thanks.


    On 01/06/2018 06:21 AM, Aditya Somasundara wrote:

    I have configured the Egress IPs as mentioned in the link
    
https://docs.openshift.com/container-platform/latest/admin_guide/managing_networking.html#enabling-static-ips-for-external-project-traffic
    
<https://docs.openshift.com/container-platform/latest/admin_guide/managing_networking.html#enabling-static-ips-for-external-project-traffic>


    but I don't see the server receiving traffic with the NAT'ted
    source IP configured. Am I missing some configuration? (pls see
    details below).

    Thanks,


        Version

    OpenShift Master:
        v3.7.9
    Kubernetes Master:
        v1.7.6+a08f5eeb62


    *1.* *[root@localhost ~]# oc get netnamespaces*
    oc get hostsubnet
    NAME NETID      EGRESS IPS
    admin  7512341    []
    default                             0       []
    *egress-ip-project *9734640*[10.160.67.253]*
    kube-public  4698488    []
    kube-service-catalog                0       []
    kube-system  4311131    []
    logging  11883490   []
    management-infra 2810647    []
    openshift  3933613    []
    openshift-ansible-service-broker 11884716   []
    openshift-infra  16683205   []
    openshift-node 8520228    []
    openshift-template-service-broker  12892895   []
    red  15089640   []
    someproject  9813566    []
    *[root@localhost ~]# oc get hostsubnet*
    NAME            HOST            HOST IP        SUBNET         
    EGRESS IPS
    *10.160.67.128*  10.160.67.128   10.160.67.128 10.130.0.0/23
    <http://10.130.0.0/23> *[10.160.67.253]*
    10.160.67.192   10.160.67.192  10.160.67.192 10.129.0.0/23
    <http://10.129.0.0/23>  [10.160.67.253]
    10.160.67.64    10.160.67.64 10.160.67.64 10.128.0.0/23
    <http://10.128.0.0/23>  []
    *[root@localhost ~]# oc get pods -n egress-ip-project -o wide*
    NAME               READY     STATUS RESTARTS   AGE       IP     
           NODE
    *test-app-1-2gvxs*  1/1       Running   0          6m 10.130.1.39
    *10.160.67.128*
    test-app-1-52vr2   1/1       Running   0         6m       
    10.129.1.110  10.160.67.192

    *2.* *On Source node *(where test-app-1-2gvxs is running, curl to
    an outside IP address as below)*:*
    [root@localhost ~]#*docker ps | grep test-app-1-2gvxs*
    86cf5969b93e
    
docker.io/avinetworks/server-os@sha256:b3986cfb559e0df1a234b76e6b5caf003492970d05c749a37e28ef1b9e9951f1
    
<http://docker.io/avinetworks/server-os@sha256:b3986cfb559e0df1a234b76e6b5caf003492970d05c749a37e28ef1b9e9951f1>
               "/bin/server.sh"         8 minutes ago       Up 8
    minutes              
    
k8s_test-app_test-app-1-2gvxs_egress-ip-project_bb3e2882-f263-11e7-b91a-005056add497_0
    6e2520a59826 openshift3/ose-pod:v3.7.9                          
     "/usr/bin/pod"        8 minutes ago       Up 8 minutes
    
k8s_POD_test-app-1-2gvxs_egress-ip-project_bb3e2882-f263-11e7-b91a-005056add497_0
    [root@localhost ~]# docker exec -it 86c bash
    bash-4.3$* curl 10.160.1.100:8088 <http://10.160.1.100:8088/>*
    *<h> Hello from 10.160.1.100 <\h>*
    *
    *
    *3. **On Server 10.160.1.100**:*
    *>> 10.160.67.128 *- - [05/Jan/2018 22:08:14] "GET / HTTP/1.1"
    *200 <<< source IP is 10.160.67.128 instead of 10.160.67.253*


    _______________________________________________
    dev mailing list
    [email protected]
    <mailto:[email protected]>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
    <http://lists.openshift.redhat.com/openshiftmm/listinfo/dev>






_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Reply via email to