-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RKE2 Cluster running Calico seemingly losing UDP traffic when transiting through service IP to remotely located pod #1541
Comments
As noted in rancher/rancher#33052 (comment), it seems like this was a regression that was broken, fixed, and then broken once more, possibly due to different versions of RKE2 |
I debugged this with Arvind and we found interesting behavior where UDP DNS queries are unable to be resolved when transiting via the service IP for CoreDNS i.e. The DNS service IP This is when using the Calico CNI. This only occurs on Ubuntu 20.04 in our testing. On my CentOS 7 testing boxes, we did not run into this issue. |
For good measure, |
Does it make any difference if you switch the host iptables between legacy/nftables or uninstall the host iptables+nftables so that we use the embedded ones? |
Not sure about this. cc: @Oats87 However, I was able to test this on a |
In a
|
Without specifying Seems like this is definitely related to Calico, as indicated on the ticket title. |
Editing comment. Things seem to work when the pod is the client. The problem comes when the host tries to access the service. This is also happening on v1.21.3+rke2r1 |
When tracking the packet, I see it going through the correct iptables of kube-proxy:
I can see the packet leaving the node:
And I can see the packet reaching to the other node (the one where coredns is):
Then the packet disappears |
Sniffing a packet targeting the service. Node with coredns, interface eth0:
Sniffing a packet targeting the pod implementing the service. Node with coredns, interface eth0:
Sniffing a packet targeting the service. Node with coredns, interface vxlan.calico: nothing
|
After looking at different things I noticed that when accessing the service directly to the pod, we see this:
But if we access the service via the clusterIP, we see this:
Note the After investigating a bit, I read that this is a known kernel bug that was fixed in 5.7. Apparently, the kernel driver miscalculates the checksum when the vxlan offloading is on if the packet is natted, which is our case when accessing the service via the ClusterIP. Centos and RHEL 8 have backported the fix but not Ubuntu, that's why we only see it in Ubuntu (note that Ubuntu 20 uses 5.4.0). This is the kernel fix: torvalds/linux@ea64d8d. Manual fix: Calico's recommended fix: TO DO:
|
Disabling |
Same issue in opensuse SP3:
Fixed after running |
@manuelbuil Are you sure that the kernel commit you linked is the only one? It's applied in SLE 15 SP3 / Leap 15.3 already: and you seem to have issues on SLE/openSUSE anyway. |
I got the link from projectcalico/calico#3145 (comment). I reported some issues in openSUSE but they were related to a dirty env. Once I freshly deployed, I was able to see the same problem as in Ubuntu |
This fixes rancher/rke2#1541 even for kernel version > 5.7 Signed-off-by: Manuel Buil <[email protected]>
Reopening for testing in rke2 |
@rancher-max apart from doing the
We are only passing |
Leaving this open to validate on 1.22 release line, but confirmed working in v1.21.3-rc7+rke2r2 Validated the dig command works on all nodes, and felixconfigurations are set as mentioned above. Also confirmed running |
Validated on master commit 09bb5c2
|
i have the opposite issue. how can i make the offloading work? |
Enabling hardware offload will not address issues with insufficient CPU resources. Also, please don't revive old resolved issues to ask unrelated questions, open a new issue or discussion. |
Environmental Info:
RKE2 Version: v1.21.3-rc3+rke2r2
Node(s) CPU architecture, OS, and Version:
Linux arvind-rke2-1 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Cluster Configuration: 3 server nodes. Also reproducible on 3 etcd, 1 controlplane, and 3 worker nodes
Describe the bug:
Steps To Reproduce:
Other nodes are the same except with server + token fields
dig @10.43.0.10 google.com
Expected behavior:
All nodes should resolve the DNS
Actual behavior:
Only one node (the one that rke2-coredns is running on) resolves the DNS
Additional context / logs:
This issue was diagnosed in rancher/rancher#33052 but reproduced independently of Rancher using the above steps.
The text was updated successfully, but these errors were encountered: