diff --git a/modules/nw-metallb-configure-secondary-interface.adoc b/modules/nw-metallb-configure-secondary-interface.adoc index 94d7647033..35704a6dd5 100644 --- a/modules/nw-metallb-configure-secondary-interface.adoc +++ b/modules/nw-metallb-configure-secondary-interface.adoc @@ -8,19 +8,42 @@ From {product-title} 4.14 the default network behavior is to not allow forwardin {product-title} clusters upgraded from 4.13 are not affected because a global parameter is set during upgrade to enable global IP forwarding. ==== -To enable IP forwarding for the secondary interface, you have two options: +To enable IP forwarding for the secondary interface, you have two options: +* Enable IP forwarding for a specific interface. * Enable IP forwarding for all interfaces. -* Enable IP forwarding for a specific interface. + [NOTE] ==== Enabling IP forwarding for a specific interface provides more granular control, while enabling it for all interfaces applies a global setting. ==== +[id="nw-enabling-ip-forwarding-specific-interface_{context}"] +== Enabling IP forwarding for a specific interface .Procedure -. Enable forwarding for a specific secondary interface, such as `bridge-net` by creating and applying a `MachineConfig` CR. +. Patch the Cluster Network Operator, setting the parameter `routingViaHost` to `true`, by running the following command: ++ +[source,terminal] +---- +$ oc patch network.operator cluster -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig": {"routingViaHost": true} }}}}' --type=merge +---- + +. Enable forwarding for a specific secondary interface, such as `bridge-net` by creating and applying a `MachineConfig` CR: + +.. Base64-encode the string that is used to configure network kernel parameters by running the following command on your local machine: ++ +[source,terminal] +---- +$ echo -e "net.ipv4.conf.bridge-net.forwarding = 1\nnet.ipv6.conf.bridge-net.forwarding = 1\nnet.ipv4.conf.bridge-net.rp_filter = 0\nnet.ipv6.conf.bridge-net.rp_filter = 0" | base64 -w0 +---- ++ +.Example output ++ +[source,terminal] +---- +bmV0LmlwdjQuY29uZi5icmlkZ2UtbmV0LmZvcndhcmRpbmcgPSAxCm5ldC5pcHY2LmNvbmYuYnJpZGdlLW5ldC5mb3J3YXJkaW5nID0gMQpuZXQuaXB2NC5jb25mLmJyaWRnZS1uZXQucnBfZmlsdGVyID0gMApuZXQuaXB2Ni5jb25mLmJyaWRnZS1uZXQucnBfZmlsdGVyID0gMAo= +---- .. Create the `MachineConfig` CR to enable IP forwarding for the specified secondary interface named `bridge-net`. @@ -32,7 +55,7 @@ apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: - machineconfiguration.openshift.io/role: <1> + machineconfiguration.openshift.io/role: <1> name: 81-enable-global-forwarding spec: config: @@ -41,8 +64,8 @@ spec: storage: files: - contents: - source: data:text/plain;charset=utf-8;base64,`echo -e "net.ipv4.conf.bridge-net.forwarding = 1\nnet.ipv6.conf.bridge-net.forwarding = 1\nnet.ipv4.conf.bridge-net.rp_filter = 0\nnet.ipv6.conf.bridge-net.rp_filter = 0" | base64 -w0` - verification: {} + source: data:text/plain;charset=utf-8;base64,bmV0LmlwdjQuY29uZi5icmlkZ2UtbmV0LmZvcndhcmRpbmcgPSAxCm5ldC5pcHY2LmNvbmYuYnJpZGdlLW5ldC5mb3J3YXJkaW5nID0gMQpuZXQuaXB2NC5jb25mLmJyaWRnZS1uZXQucnBfZmlsdGVyID0gMApuZXQuaXB2Ni5jb25mLmJyaWRnZS1uZXQucnBfZmlsdGVyID0gMAo= <2> + verification: {} filesystem: root mode: 644 path: /etc/sysctl.d/enable-global-forwarding.conf @@ -50,6 +73,7 @@ spec: ---- + <1> Node role where you want to enable IP forwarding, for example, `worker` +<2> Populate with the generated base64 string .. Apply the configuration by running the following command: + @@ -58,8 +82,50 @@ spec: $ oc apply -f enable-ip-forward.yaml ---- -. Alternatively, you can enable IP forwarding globally by running the following command: +.Verification + +. After you apply the machine config, verify the changes by following this procedure: + +.. Enter into a debug session on the target node by running the following command: + +[source,terminal] +---- +$ oc debug node/ +---- +This step instantiates a debug pod called `-debug`. + +.. Set `/host` as the root directory within the debug shell by running the following command: ++ +[source,terminal] +---- +$ chroot /host +---- +The debug pod mounts the host’s root file system in `/host` within the pod. By changing the root directory to `/host`, you can run binaries contained in the host’s executable paths. + +.. Verify that IP forwarding is enabled by running the following command: ++ +[source,terminal] +---- +$ cat /etc/sysctl.d/enable-global-forwarding.conf +---- ++ +.Expected output + +[source,terminal] +---- +net.ipv4.conf.bridge-net.forwarding = 1 +net.ipv6.conf.bridge-net.forwarding = 1 +net.ipv4.conf.bridge-net.rp_filter = 0 +net.ipv6.conf.bridge-net.rp_filter = 0 +---- ++ +The output indicates that IPv4 and IPv6 packet forwarding is enabled on the `bridge-net` interface. + +[id="nw-enabling-ip-forwarding-globally_{context}"] +== Enabling IP forwarding globally + +* Enable IP forwarding globally by running the following command: + [source,terminal] ---- $ oc patch network.operator cluster -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"ipForwarding": "Global"}}}}}