Bug 1571433
Summary: | [3.7] Update of Egress Network Policy causes temporary egress failure when using dnsName | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ravi Sankar <rpenta> |
Component: | Networking | Assignee: | Ravi Sankar <rpenta> |
Status: | CLOSED ERRATA | QA Contact: | Meng Bo <bmeng> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.7.0 | CC: | aos-bugs, bbennett, hongli |
Target Milestone: | --- | ||
Target Release: | 3.7.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: Update egress policy needed blocking outgoing traffic, patching ovs flows and then re-enabling traffic but the ovs flow generation for dns names was slow.
Consequence: Few seconds egress traffic downtime which may not be acceptable.
Fix: Change update egress policy handling to pre-populate all new ovs flows before blocking the outgoing traffic.
Result: Reduces the downtime during egress policy updates.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-05-18 03:54:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ravi Sankar
2018-04-24 18:59:57 UTC
verified in atomic-openshift-3.7.46-1.git.0.e81594b.el7 that the order of updating ovs flow has been changed as below: May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: W0511 04:36:15.153777 16957 ovscontroller.go:471] Correcting CIDRSelector '0.0.0.0/32' to '0.0.0.0/0' in EgressNetworkPolicy lha:policy-test May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.153833 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, cookie=1, priority=65535, actions=drop May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.166007 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 del-flows br0 table=101, reg0=14428014, cookie=0/1 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.173006 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=2, ip, nw_dst=98.137.246.7, actions=output:2 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.179517 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=2, ip, nw_dst=98.137.246.8, actions=output:2 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.185321 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=2, ip, nw_dst=72.30.35.10, actions=output:2 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.191714 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=2, ip, nw_dst=72.30.35.9, actions=output:2 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.198561 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=2, ip, nw_dst=98.138.219.231, actions=output:2 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.204981 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=2, ip, nw_dst=98.138.219.232, actions=output:2 May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.211258 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 add-flow br0 table=101, reg0=14428014, priority=1, ip, actions=drop May 11 04:36:15 host-172-16-120-136 atomic-openshift-node[16957]: I0511 04:36:15.217460 16957 ovs.go:139] Executing: ovs-ofctl -O OpenFlow13 del-flows br0 table=101, reg0=14428014, cookie=1/1 OS: Red Hat Enterprise Linux Server release 7.5 (Maipo) kernel: Linux host-172-16-120-136 3.10.0-862.2.3.el7.x86_64 #1 SMP Mon Apr 30 12:37:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1576 |