Node-Local dns with LocalRedirectPolicy not working on pods listening on port 53

[weikinhuang]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

Hi, I'm just started running into an issue with node-local-dns and cilium local redirect policy. Everything was working fine previously on 20.04.

My previous nodes running

Linux n101 5.4.0-107-generic #121-Ubuntu SMP Thu Mar 24 16:04:27 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

worked just fine, however my new nodes are running ubuntu 22.04 with kernel

Linux n001 5.15.0-35-generic #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

does not seem to work properly for some pods, and does for others

I'm thinking it might be a kernel issue, because previously I was also using the same cilium version (1.11.4, then I tried again with cilium 1.11.5)
Currently i'm on:
kubernetes 1.24.1
cilium 1.11.5
ubuntu 22.04 up to date

Cilium Version

Client: 1.11.5 b0d3140 2022-05-10T02:47:42+02:00 go version go1.17.9 linux/amd64
Daemon: 1.11.5 b0d3140 2022-05-10T02:47:42+02:00 go version go1.17.9 linux/amd64

Kernel Version

Linux n002 5.15.0-35-generic #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"clean", BuildDate:"2022-05-24T12:26:19Z", GoVersion:"go1.18.2", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"clean", BuildDate:"2022-05-24T12:18:48Z", GoVersion:"go1.18.2", Compiler:"gc", Platform:"linux/amd64"}

Sysdump

cilium-sysdump-20220616-083851.zip

Relevant log output

#### WITH POLICY DISABLED

root@dnstest:/root# dig @10.3.0.10 web.site.svc.cluster.local

; <<>> DiG 9.16.27-Debian <<>> @10.3.0.10 web.site.svc.cluster.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52788
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fe7eba1c9b7d2ba8 (echoed)
;; QUESTION SECTION:
;web.site.svc.cluster.local. IN A

;; ANSWER SECTION:
web.site.svc.cluster.local. 25 IN A 10.3.249.244

;; Query time: 0 msec
;; SERVER: 10.3.0.10#53(10.3.0.10)
;; WHEN: Tue Jun 07 02:12:13 UTC 2022
;; MSG SIZE  rcvd: 151

WITH POLICY ENABLED

root@dnstest:/root# dig @10.3.0.10 web.site.svc.cluster.local

; <<>> DiG 9.16.27-Debian <<>> @10.3.0.10 web.site.svc.cluster.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2353
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f3135a06af572481 (echoed)
;; QUESTION SECTION:
;web.site.svc.cluster.local. IN A

;; Query time: 999 msec
;; SERVER: 10.3.0.10#53(10.3.0.10)
;; WHEN: Tue Jun 07 02:13:08 UTC 2022
;; MSG SIZE  rcvd: 88

to node-local-dns pod in the same host

root@dnstest:/root# dig @10.2.3.72 web.site.svc.cluster.local

; <<>> DiG 9.16.27-Debian <<>> @10.2.3.72 web.site.svc.cluster.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64896
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e6244d4c09352f06 (echoed)
;; QUESTION SECTION:
;web.site.svc.cluster.local. IN A

;; ANSWER SECTION:
web.site.svc.cluster.local. 6 IN A 10.3.249.244

;; Query time: 3 msec
;; SERVER: 10.2.3.72#53(10.2.3.72)
;; WHEN: Tue Jun 07 02:14:02 UTC 2022
;; MSG SIZE  rcvd: 151

tcpdump policy off, here it goes straight to the coredns pods in kube-dns correctly

02:47:44.076470 lxc700b5d19881b In  IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [S], seq 2601814125, win 65535, options [mss 1460,sackOK,TS val 3298041818 ecr 0,nop,wscale 9], length 0
02:47:44.076536 eth0  Out IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [S], seq 2601814125, win 65535, options [mss 1460,sackOK,TS val 3298041818 ecr 0,nop,wscale 9], length 0
02:47:44.076666 eth0  In  IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [S.], seq 2145065476, ack 2601814126, win 65535, options [mss 1460,sackOK,TS val 833701055 ecr 3298041818,nop,wscale 9], length 0
02:47:44.076703 lxc700b5d19881b Out IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [S.], seq 2145065476, ack 2601814126, win 65535, options [mss 1460,sackOK,TS val 833701055 ecr 3298041818,nop,wscale 9], length 0
02:47:44.076728 lxc700b5d19881b In  IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [.], ack 1, win 128, options [nop,nop,TS val 3298041818 ecr 833701055], length 0
02:47:44.076747 eth0  Out IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [.], ack 1, win 128, options [nop,nop,TS val 3298041818 ecr 833701055], length 0
02:47:44.076825 lxc700b5d19881b In  IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [P.], seq 1:91, ack 1, win 128, options [nop,nop,TS val 3298041819 ecr 833701055], length 90 64571+ [1au] A? web.site.svc.cluster.local. (88)
02:47:44.076847 eth0  Out IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [P.], seq 1:91, ack 1, win 128, options [nop,nop,TS val 3298041819 ecr 833701055], length 90 64571+ [1au] A? web.site.svc.cluster.local. (88)
02:47:44.076914 eth0  In  IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [.], ack 91, win 128, options [nop,nop,TS val 833701055 ecr 3298041819], length 0
02:47:44.076928 lxc700b5d19881b Out IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [.], ack 91, win 128, options [nop,nop,TS val 833701055 ecr 3298041819], length 0
02:47:44.077554 eth0  In  IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [P.], seq 1:154, ack 91, win 128, options [nop,nop,TS val 833701056 ecr 3298041819], length 153 64571*- 1/0/1 A 10.3.249.244 (151)
02:47:44.077590 lxc700b5d19881b Out IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [P.], seq 1:154, ack 91, win 128, options [nop,nop,TS val 833701056 ecr 3298041819], length 153 64571*- 1/0/1 A 10.3.249.244 (151)
02:47:44.077598 lxc700b5d19881b In  IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [.], ack 154, win 131, options [nop,nop,TS val 3298041819 ecr 833701056], length 0
02:47:44.077617 eth0  Out IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [.], ack 154, win 131, options [nop,nop,TS val 3298041819 ecr 833701056], length 0
02:47:44.078027 lxc700b5d19881b In  IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [F.], seq 91, ack 154, win 131, options [nop,nop,TS val 3298041820 ecr 833701056], length 0
02:47:44.078061 eth0  Out IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [F.], seq 91, ack 154, win 131, options [nop,nop,TS val 3298041820 ecr 833701056], length 0
02:47:44.078632 eth0  In  IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [F.], seq 154, ack 92, win 128, options [nop,nop,TS val 833701057 ecr 3298041820], length 0
02:47:44.078713 lxc700b5d19881b Out IP 10.2.0.42.53 > 10.2.3.143.53337: Flags [F.], seq 154, ack 92, win 128, options [nop,nop,TS val 833701057 ecr 3298041820], length 0
02:47:44.078728 lxc700b5d19881b In  IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [.], ack 155, win 131, options [nop,nop,TS val 3298041820 ecr 833701057], length 0
02:47:44.078758 eth0  Out IP 10.2.3.143.53337 > 10.2.0.42.53: Flags [.], ack 155, win 131, options [nop,nop,TS val 3298041820 ecr 833701057], length 0

tcpdump policy on, as noted it still tries to go to 10.3.0.10 instead of 10.2.3.72

02:45:11.932993 lxc700b5d19881b In  IP 10.2.3.143.44363 > 10.3.0.10.53: Flags [S], seq 1070528412, win 65535, options [mss 1460,sackOK,TS val 2627356549 ecr 0,nop,wscale 9], length 0
02:45:11.935114 lxc700b5d19881b In  IP 10.2.3.143.42160 > 10.3.0.10.53: 2512+ NS? . (17)
02:45:12.949409 lxc700b5d19881b In  IP 10.2.3.143.44363 > 10.3.0.10.53: Flags [S], seq 1070528412, win 65535, options [mss 1460,sackOK,TS val 2627357565 ecr 0,nop,wscale 9], length 0
02:45:13.437332 lxc700b5d19881b In  IP 10.2.3.143.44013 > 10.3.0.10.53: 48493+ NS? . (17)
02:45:14.938081 lxc700b5d19881b In  IP 10.2.3.143.40206 > 10.3.0.10.53: 30742+ NS? . (17)
02:45:14.965460 lxc700b5d19881b In  IP 10.2.3.143.44363 > 10.3.0.10.53: Flags [S], seq 1070528412, win 65535, options [mss 1460,sackOK,TS val 2627359581 ecr 0,nop,wscale 9], length 0
02:45:16.438784 lxc700b5d19881b In  IP 10.2.3.143.45143 > 10.3.0.10.53: 31560+ NS? . (17)
02:45:17.939217 lxc700b5d19881b In  IP 10.2.3.143.55114 > 10.3.0.10.53: 53360+ NS? . (17)
02:45:19.125544 lxc700b5d19881b In  IP 10.2.3.143.44363 > 10.3.0.10.53: Flags [S], seq 1070528412, win 65535, options [mss 1460,sackOK,TS val 2627363741 ecr 0,nop,wscale 9], length 0
02:45:19.440629 lxc700b5d19881b In  IP 10.2.3.143.40681 > 10.3.0.10.53: 13073+ NS? . (17)
02:45:20.941308 lxc700b5d19881b In  IP 10.2.3.143.57037 > 10.3.0.10.53: 13942+ NS? . (17)
02:45:21.926173 lxc700b5d19881b In  IP 10.2.3.143.57207 > 10.3.0.10.53: Flags [S], seq 1423905828, win 65535, options [mss 1460,sackOK,TS val 2627366542 ecr 0,nop,wscale 9], length 0
02:45:22.443111 lxc700b5d19881b In  IP 10.2.3.143.40074 > 10.3.0.10.53: 29603+ NS? . (17)
02:45:22.933385 lxc700b5d19881b In  IP 10.2.3.143.57207 > 10.3.0.10.53: Flags [S], seq 1423905828, win 65535, options [mss 1460,sackOK,TS val 2627367549 ecr 0,nop,wscale 9], length 0
02:45:23.945404 lxc700b5d19881b In  IP 10.2.3.143.42131 > 10.3.0.10.53: 2748+ NS? . (17)

Anything else?

I have already tried the sysctl fix + reboot mentioned in #19909.

net.ipv4.conf.cilium_host.rp_filter=0
net.ipv4.conf.cilium_net.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
net.ipv4.conf.lxc*.rp_filter=0

Slack thread https://cilium.slack.com/archives/C53TG4J4R/p1654571691219659

Code of Conduct

• I agree to follow this project's Code of Conduct

[aditighag]

does not seem to work properly for some pods, and does for others

Can you clarify - is LRP enforcement working for some pods and not others in the same cluster?

I'm thinking it might be a kernel issue, because previously I was also using the same cilium version (1.11.4, then I tried again with cilium 1.11.5) Currently i'm on: kubernetes 1.24.1 cilium 1.11.5 ubuntu 22.04 up to date

Are all the nodes in the cluster running the same kernel version?

Can you upload a sysdump from the affected nodes?

[weikinhuang]

I can upload one when I have the time to rebuild a test cluster with the minimal case in the next few days. Yes, all the nodes are built from the same packer template. From what I've seen on my coredns grafana dashboards, the NLD pods are getting some traffic, but sum total lower than if I disabled the NLRP. But using a test pod with dns tools, I'm unable to dig to the cluster dns address with NRLP on, but can when I'm doing the dig against the local dns pod.

[weikinhuang]

@aanm @aditighag I managed to reproduce this on a fresh Ubuntu 22.04 installation and kubeadm. Here is the sysdump.
cilium-sysdump-20220613-221201.zip

[vincentmli]

@weikinhuang sorry I am not familiar with cilium local redirect policy, just see if I understand the problem correct, are you trying to deploy cilium local redirect policy to allow pod only send DNS query to local dns pod but the DNS query goes to remote node dns pod? do you have detail steps to reproduce the issue?

[weikinhuang]

@vincentmli see https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/ and https://docs.cilium.io/en/stable/gettingstarted/local-redirect-policy/#node-local-dns-cache

[kkourt]

@aanm @aditighag I managed to reproduce this on a fresh Ubuntu 22.04 installation and kubeadm. Here is the sysdump. cilium-sysdump-20220613-221201.zip

Thanks @weikinhuang!

How did you created the sysdump? It seems to be lacking "bugtool" information and having this output would be useful since this might be a kernel issue.

Everything seems fine in cilium-sysdump.log:

🔍 Collecting 'cilium-bugtool' output from Cilium pods

But I do not see any bugtool log files. Typically, there would be a cilium-bugtool-<ciliumpod> directory for every pod.

[weikinhuang]

@kkourt, I just ran cilium sysdump. My cilium pods are running in the cilium-cni namespace instead of kube-system. Updated the sysdump with the extra namespace flags.

cilium-sysdump-20220616-083851.zip

[kkourt]

@kkourt, I just ran cilium sysdump. My cilium pods are running in the cilium-cni namespace instead of kube-system. Updated the sysdump with the extra namespace flags.

cilium-sysdump-20220616-083851.zip

Thanks!

Given the following output from bugtool:

sysctl--a.md
291:net.ipv4.conf.all.rp_filter = 0
323:net.ipv4.conf.cilium_host.rp_filter = 2
355:net.ipv4.conf.cilium_net.rp_filter = 2
387:net.ipv4.conf.default.rp_filter = 2
419:net.ipv4.conf.eth0.rp_filter = 2
451:net.ipv4.conf.lo.rp_filter = 2
483:net.ipv4.conf.lxc148ab3c0dd3d.rp_filter = 0
515:net.ipv4.conf.lxc738be8e9072b.rp_filter = 0
547:net.ipv4.conf.lxc82257411e5d6.rp_filter = 0
579:net.ipv4.conf.lxc87689aee5783.rp_filter = 0
611:net.ipv4.conf.lxc_health.rp_filter = 0
643:net.ipv4.conf.lxcfef39d820434.rp_filter = 0

And the fact that systemd's version is >245

958:2022-06-16T12:32:39,079498+00:00 systemd[1]: systemd 249.11-0ubuntu3.1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)

It could be the case that this is the issue addressed by #20072, which should be merged soon to master (Cc: @dylandreimerink).

[weikinhuang]

@kkourt Updated all those values to 0, it did not fix the issue
cilium-sysdump-20220617-110923.zip

sysctl -a | grep \.rp_f
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.cilium_host.arp_filter = 0
net.ipv4.conf.cilium_host.rp_filter = 0
net.ipv4.conf.cilium_net.arp_filter = 0
net.ipv4.conf.cilium_net.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lxc0d4c1c8ae714.arp_filter = 0
net.ipv4.conf.lxc0d4c1c8ae714.rp_filter = 0
net.ipv4.conf.lxc716e1052ac12.arp_filter = 0
net.ipv4.conf.lxc716e1052ac12.rp_filter = 0
net.ipv4.conf.lxc7fc4c8a8fb6a.arp_filter = 0
net.ipv4.conf.lxc7fc4c8a8fb6a.rp_filter = 0
net.ipv4.conf.lxc9bdfdc4c0a80.arp_filter = 0
net.ipv4.conf.lxc9bdfdc4c0a80.rp_filter = 0
net.ipv4.conf.lxc_health.arp_filter = 0
net.ipv4.conf.lxc_health.rp_filter = 0
net.ipv4.conf.lxcd170a1191ac2.arp_filter = 0
net.ipv4.conf.lxcd170a1191ac2.rp_filter = 0

[aditighag]

I was unable to reproduce the issue after upgrading from Ubuntu 20.04 to 22.04. LRP policy works as expected based on the steps given in the guide. I did have to disable rp_filter settings manually though. We should document this.

I checked the sysdump, LRP seems to be set up correctly on your cluster. Kube-proxy replacement and local redirect policy configs are enabled.

To completely rule out the role of rp_filter settings, enable logging - sysctl -w 'net.ipv4.conf.all.log_martians=1. Check if there are any martian logs in /var/log involving traffic of interest.

Can you post output of cilium monitor --related-to <client-pod-endpoint> when run from the same cilium pod as the client pod?

Snippets from my cluster:

$ cilium service list | grep 53
8    172.20.0.93:53        ClusterIP      1 => 10.12.0.252:53
                                          2 => 10.12.0.153:80
62   172.20.0.10:9153      ClusterIP      1 => 10.12.0.252:9153
63   172.20.0.10:53        ClusterIP      1 => 10.12.0.252:53

$ k get pods -o wide | grep client
client                       1/1     Running   2             2d17h   10.12.0.233

$ k get svc -n kube-system
NAME                TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                  AGE
kube-dns            ClusterIP   172.20.0.10   <none>        53/UDP,53/TCP,9153/TCP   13h
kube-dns-upstream   ClusterIP   172.20.0.93   <none>        53/UDP,53/TCP            18h

Snippet of traces -

$ cilium monitor --related-to 205
Listening for events on 6 CPUs with 64x4096 of shared memory
Press Ctrl-C to quit
level=info msg="Initializing dissection cache..." subsys=monitor
<- endpoint 205 flow 0x0 , identity 35992->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.233:38766 -> 10.12.0.88:53 udp
-> endpoint 205 flow 0x0 , identity 14443->35992 state reply ifindex lxc72f597f6c363 orig-ip 10.12.0.88: 10.12.0.88:53 -> 10.12.0.233:38766 udp
<- endpoint 205 flow 0x412de903 , identity 35992->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.233:33626 -> 10.12.0.122:80 tcp SYN
-> endpoint 205 flow 0x7e8a7096 , identity 2930->35992 state reply ifindex lxc72f597f6c363 orig-ip 10.12.0.122: 10.12.0.122:80 -> 10.12.0.233:33626 tcp SYN, ACK
<- endpoint 205 flow 0x412de903 , identity 35992->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.233:33626 -> 10.12.0.122:80 tcp ACK
<- endpoint 205 flow 0x412de903 , identity 35992->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.233:33626 -> 10.12.0.122:80 tcp ACK
-> endpoint 205 flow 0x7e8a7096 , identity 2930->35992 state reply ifindex lxc72f597f6c363 orig-ip 10.12.0.122: 10.12.0.122:80 -> 10.12.0.233:33626 tcp ACK
-> endpoint 205 flow 0x7e8a7096 , identity 2930->35992 state reply ifindex lxc72f597f6c363 orig-ip 10.12.0.122: 10.12.0.122:80 -> 10.12.0.233:33626 tcp ACK
<- endpoint 205 flow 0x412de903 , identity 35992->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.233:33626 -> 10.12.0.122:80 tcp ACK
-> endpoint 205 flow 0x0 , identity 14443->35992 state reply ifindex lxc72f597f6c363 orig-ip 10.12.0.88: 10.12.0.88:53 -> 10.12.0.233:38766 udp
<- endpoint 205 flow 0x412de903 , identity 35992->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.233:33626 -> 10.12.0.122:80 tcp ACK, FIN

$ k exec -it client -- curl http://demo-service
<html><body><h1>It works!</h1></body></html>

$ uname -r
5.15.0-39-generic

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04 LTS"

$ cilium version
Client: 1.11.4 9d2546357e 2022-04-15T08:33:55-07:00 go version go1.18.1 linux/amd64
Daemon: 1.11.4 9d2546357e 2022-04-15T08:33:55-07:00 go version go1.18.1 linux/amd64