Bug 1484133

Summary: 3.4 check for and use new iptables-restore 'wait' argument
Product: OpenShift Container Platform Reporter: Dan Winship <danw>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 3.4.1CC: aos-bugs, bbennett, bmeng, danw, dcbw, eparis, erich, pdwyer, stwalter, yadu
Target Milestone: ---   
Target Release: 3.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: the iptables proxy was not properly locking its use of iptables. Consequence: the iptables proxy could conflict with docker and the openshift-node process and cause a failure to start containers. Fix: the iptables proxy now locks its use of iptables. Result: pod creation failures due to improper locking of iptables should no longer occur
 Story Points: ---
Clone Of: 1481782 Environment:
Last Closed: 2017-09-07 19:13:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Dan Winship 2017-08-22 19:07:25 UTC 
https://github.com/openshift/ose/pull/847
Comment 3 Yan Du 2017-08-30 07:32:48 UTC 
Test on OCP3.4+rhel7.3 /OCP3.4+rhel7.4
oc v3.4.1.44.17
kubernetes v1.4.0+776c994
iptables v1.4.21

Use an infinite loop to keep creating services which have same endpoint from master side.

On the node side, check the process which is opening the /run/xtables.lock file.

[root@ip-172-18-1-166 ~]# while true ; do lsof +c0 /run/xtables.lock ; done
COMMAND            PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 130893 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 438 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 451 root    3r   REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 501 root    3r   REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 530 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 559 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 630 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 645 root    3rW  REG   0,18        0 25053 /run/xtables.lock

And no "Resource temporarily unavailable (exit status 4)" in node log.
Comment 5 errata-xmlrpc 2017-09-07 19:13:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2670