Bug 1310572

Summary: Routes cannot be synced to F5 router
Product: OpenShift Container Platform Reporter: zhaozhanqi <zzhao>
Component: NetworkingAssignee: Eric Paris <eparis>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: high CC: bmeng, ccoleman, eparis, mdluckeopu, sdodson, tdawson
Version: 3.2.0Keywords: Regression
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 16:29:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Eric Paris 2016-02-23 16:04:36 UTC 
QA: I believe this is fixed by running `oadm policy reconcile-cluster-roles` after you updated the cluster.

Clayton, didn't you just do something for this? We need to build a new F5 image?
Comment 2 Eric Paris 2016-02-23 16:53:44 UTC 
Troy, what is the latest ose-f5-router that QA should be trying? I know you recently rebuild the ha-proxy container for clayton's fix to this issue.

QA, you want to try to latest container BEFORE you run the reconcile. As the newest container 'should' work even though you did not upgrade the cluster properly.
Comment 3 Troy Dawson 2016-02-23 17:00:45 UTC 
The image built yesterday (which is the latest) is
openshift3/ose-f5-router:v3.1.1.905

If there is a reason the fix wasn't in there, we will be building another one tomorrow, which should be openshift3/ose-f5-router:v3.1.1.905
Comment 4 zhaozhanqi 2016-02-24 04:26:05 UTC 
Tested using the latest images :openshift3/ose-f5-router:v3.1.1.905, the routes can be synced to F5 server. 

but there still has error message in F5 router pod:
E0223 23:18:59.762128       1 status.go:163] Unable to write router status - please ensure you reconcile your system policy or grant this router access to update route status: User "system:openshift-router" cannot update routes/status in project "zzhao"
Comment 5 Eric Paris 2016-02-24 13:43:20 UTC 
now that we know the new image is working, can you run the reconcile command to see if it fixes the log spam?  reconcile should be run automatically when updating using ansible, as I understand it, but you have to run it yourself when you update things by hand...
Comment 6 Scott Dodson 2016-02-24 14:43:36 UTC 
(In reply to Eric Paris from comment #5)
> now that we know the new image is working, can you run the reconcile command
> to see if it fixes the log spam?  reconcile should be run automatically when
> updating using ansible, as I understand it, but you have to run it yourself
> when you update things by hand...

That's correct.
Comment 7 zhaozhanqi 2016-02-25 03:04:25 UTC 
Thanks Eric

After I run 'oadm policy reconcile-cluster-roles --additive-only --confirm'
the error message will disappear.

Could you please help set the state to 'ON_QA', I will verify this bug.
Comment 8 zhaozhanqi 2016-02-25 04:56:40 UTC 
Verified this bug with openshift3/ose-f5-router:v3.1.1.905 image
Comment 10 errata-xmlrpc 2016-05-12 16:29:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064
Comment 11 Paualsh112 2017-01-14 06:46:37 UTC 
As nitass says the forwarding vs is the answer. remember also that when you are running the F5 as the router you need to think about your security and application dependencis such as idle timeout, arb-mac timeout....
What I mean is that you should setup at least 2 forwarding ws IMHO.
<a href="https://productriver.com/best-wireless-routers">best 4 wireless routers</a>