Bug 1389706
Summary: | [networking_public_157] Pods cannot connect to F5 server via vxlan | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Hongan Li <hongli> |
Component: | Networking | Assignee: | Rajat Chopra <rchopra> |
Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | high | CC: | aos-bugs, bbennett, bmeng, hongli, rchopra, tdawson, wsun, xtian |
Version: | 3.4.0 | Keywords: | TestBlocker |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-18 12:47:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Hongan Li
2016-10-28 09:37:33 UTC
Two issues possible (because it works with my setup): 1. The router does not have watchNodes capability, so it will not add any nodes to the f5 vxlan FDB 2. The f5 instance does not have the required 'sdn_services' license (In reply to Rajat Chopra from comment #3) > Two issues possible (because it works with my setup): > > 1. The router does not have watchNodes capability, so it will not add any > nodes to the f5 vxlan FDB > 2. The f5 instance does not have the required 'sdn_services' license For #2, I checked the F5 license and sure the SDN service is in active modules. For #1, I'm not sure how to check or enable router watchNodes capability. Could you give more details? And I've found many logs in f5 router pod below: E1031 15:32:00.859667 1 reflector.go:203] github.com/openshift/origin/pkg/router/controller/factory/factory.go:76: Failed to list *api.Node: User "system:serviceaccount:default:router" cannot list all nodes in the cluster Maybe this is means router does not have watchNodes capability ? Correct. The router does not have the right role to list/watch nodes. This was removed from the default system:router role, and we plan to create another role for F5 router now. Will mark this bug fixed when I create that PR. PR https://github.com/openshift/origin/pull/11742 Also you need to start the router with more privileges e.g. oadm policy add-cluster-role-to-user system:sdn-reader system:serviceaccount:default:router Rajat, I assume we are putting that in the F5 router docs? Will you please put the link to the docs PR here too. Looks like PR 11742 is already merged in ocp-3.4.0.21, please give it a try. PR https://github.com/openshift/origin/pull/11788 fixes the periodic error messages that you keep seeing on router re-launch. PR for fixing the multitenancy issue: https://github.com/openshift/origin/pull/11817 This has been merged into ose and is in OSE v3.4.0.24 or newer. verified in 3.4.0.24 and the issue has been fixed. test steps: 1. oc annotate hostsubnet f5-server pod.network.openshift.io/fixed-vnid-host="true" 2. restart all openshift node service 3. ovs-ofctl dump-flows -O openflow13 br0 | grep table=8 cookie=0x0, duration=1569.500s, table=8, n_packets=133, n_bytes=5586, priority=100,arp,arp_tpa=10.1.5.0/24 actions=load:0->NXM_NX_TUN_ID[0..31],set_field:192.168.122.111->tun_dst,output:1 cookie=0x0, duration=1569.459s, table=8, n_packets=14963, n_bytes=1091250, priority=100,ip,nw_dst=10.1.5.0/24 actions=load:0->NXM_NX_TUN_ID[0..31],set_field:192.168.122.111->tun_dst,output:1 4. ping between pods in non-default namespace and F5 is reachable. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066 |