StarlingX

IGMP queries from address 0.0.0.0 being blocked

Bug #2039881 reported by Caio Bruchert
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Caio Bruchert

Bug Description

Brief Description
-----------------
IGMP queries from address 0.0.0.0 on the cluster-host and mgmt networks are being blocked and it causes the heartbeat traffic to stop and the controller-0 to reboot.
IGMP queries with source address 0.0.0.0 are sent when the switch between the controllers has IGMP snooping enabled on a VLAN without an IP address configured.

Severity
--------
Critical

Steps to Reproduce
------------------
Configure the switch with IGMP snooping for the mgmt or cluster-host VLAN.
The VLAN must have no IP address configured.

Expected Behavior
------------------
IGMP queries with source address 0.0.0.0 from the switch should be allowed and IGMP reports should be seen.

Actual Behavior
----------------
IGMP queries with source address 0.0.0.0 from the switch are block and IGMP reports are not seen.

Reproducibility
---------------
Reproducible

System Configuration
--------------------
AIO-DX

Branch/Pull Time/Commit
-----------------------
master

Last Pass
---------
Before the firewall was implemented

Timestamp/Logs
--------------

Test Activity
-------------
Regression Testing

Workaround
Edit the firewall rules for mgmt and cluster-host networks to allow IGMP with source address 0.0.0.0/32 using:
kubectl edit globalnetworkpolicies.crd.projectcalico.org controller-mgmt-if-gnp
kubectl edit globalnetworkpolicies.crd.projectcalico.org controller-cluster-host-if-gnp

Caio Bruchert (cbrucher)
Changed in starlingx:
assignee: nobody → Caio Bruchert (cbrucher)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/898856

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.9.0 stx.networking
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/898856
Committed: https://opendev.org/starlingx/config/commit/731a5a4d7bc918682e8d8658f2c6ed00d191cb77
Submitter: "Zuul (22348)"
Branch: master

commit 731a5a4d7bc918682e8d8658f2c6ed00d191cb77
Author: Caio Bruchert <email address hidden>
Date: Thu Oct 19 16:14:55 2023 -0300

    Firewall: allow IGMP queries from 0.0.0.0

    IGMP queries from address 0.0.0.0 on the cluster-host and mgmt networks
    are being blocked and it causes the heartbeat traffic to stop and the
    controller-0 to reboot.
    IGMP queries with source address 0.0.0.0 are sent when the switch
    between the controllers has IGMP snooping enabled on a VLAN without an
    IP address configured.

    Test Plan:
        PASS: check if IGMP rules for all networks are correct
        PASS: check if the IGMP queries from 0.0.0.0 are allowed and IGMP
              reports are replied
        PASS: check if heartbeat messages are exchanged between the
              controllers

    Closes-Bug: 2039881

    Signed-off-by: Caio Bruchert <email address hidden>
    Change-Id: Id930edf692dbd59fecef4647904abfc58e881669

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.