Bug 1906650
| Summary: | Cannot collect network policy, EgressFirewall, egressip logs with gather_network_logs | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | huirwang |
| Component: | Networking | Assignee: | Andrew Stoycos <astoycos> |
| Networking sub component: | ovn-kubernetes | QA Contact: | huirwang |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | aconstan, astoycos |
| Version: | 4.7 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-24 15:41:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hey there, So I had implemented this feature within gather-network-logs (https://github.com/openshift/must-gather/pull/187), but I saw some scale issues with it and therefore reverted the work. Instead these objects will be collected via the "Related-objects" mechanism which I have yet to implement. This will be a good method for tracking that work, thanks for creating. - Andrew Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |
How reproducible: Always Steps to Reproduce: 1. oc adm must-gather -- gather_network_logs Actual results: [must-gather-zrwhn] POD WARNING: Collecting network logs on ALL linux nodes in your cluster. This could take a long time. [must-gather-zrwhn] POD /usr/bin/gather_network_logs: line 235: [-z: command not found [must-gather-zrwhn] POD INFO: ovn-ipsec is enabled, tunnel traffic should be encryted [must-gather-zrwhn] POD INFO: Gathering ovn-ipsec data [must-gather-zrwhn] POD INFO: Gathering Multus data [must-gather-zrwhn] POD INFO: Gathering ovn-kubernetes node data [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD INFO: Gathering ovn-kubernetes master data [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD tar: Removing leading `/' from member names [must-gather-zrwhn] POD INFO: Waiting for node network log collection to complete ... After above commands Check the network_logs folder, there is no policies, egressFirewalls, egressips folders, no such logs. Expected results: Should collect policies, egressFirewalls, egressips logs successfully. Additional info: Besides above issue,one more note: For EgressFirewall, the object name is different between sdn and ovn. In SDN , it is called egressnetworkpolicy, please see below example. oc describe egressnetworkpolicy policy-test -n test Name: policy-test Namespace: test Created: 15 seconds ago Labels: <none> Annotations: <none> Rule: Allow to www.facebook.com Rule: Deny to 0.0.0.0/0 In OVN, it is called egressfirewall, the current way is ok. For EgressIP, it is also different between sdn and ovn. In SDN, I think maybe collect logs as: oc get hostsubnet It is better to confirm with DEV what egressIP logs need to collect in SDN. In OVN, EgressIP object does not belongs to any namespace, it is cluster wide resource. So we don't need to execute "oc describe EgressIP" in each namespace. oc describe EgressIP -n "${NAMESPACE}" \ > "${EGRESSIP_LOG_PATH}"/"${NAMESPACE}"_EgressIPs 2>&1 & PIDS=($!)