Bug 1944121
Summary: | OVN-kubernetes references AddressSets after deleting them, causing ovn-controller errors | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Andy Bartlett <andbartl> | |
Component: | Networking | Assignee: | Casey Callendrello <cdc> | |
Networking sub component: | ovn-kubernetes | QA Contact: | Anurag saxena <anusaxen> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | high | |||
Priority: | high | CC: | anbhat, anusaxen, astoycos, cdc, cpassare, fiezzi, joboyer, openshift-bugs-escalate, zzhao | |
Version: | 4.6 | |||
Target Milestone: | --- | |||
Target Release: | 4.8.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2037221 (view as bug list) | Environment: | ||
Last Closed: | 2021-07-27 22:56:24 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1951552, 2037221 |
Description
Andy Bartlett
2021-03-29 11:03:47 UTC
On second thought, I take my statement back; 10 seconds is not an acceptable amount of time for traffic to drop. It looks like we need to be more careful around deleting the address set. Let me take a look. As a workaround, they can allow DNS traffic to a static set of namespaces, rather than all of them, and this should be more effective. this issue can be reproduced on 4.8.0-0.nightly-2021-04-19-175100 and before with the following steps: oc new-project z1 oc create -f list.json -n z1 oc create -f policy.yaml -n z1 oc delete namespace z1 oc -n openshift-ovn-kubernetes -c ovn-controller logs ovnkube-node-tbjtt | grep error $ oc -n openshift-ovn-kubernetes -c ovn-controller logs ovnkube-node-tbjtt | grep error 2021-04-20T03:31:15Z|00012|lflow|WARN|error parsing match "reg0[7] == 1 && (ip4.dst == {$a10309787208889436959, $a10365219111236117829, $a10819938825290322714, $a10951847637192197900, $a10989964789905973848, $a11679209097797522690, $a11840947999323393980, $a12008966417577843415, $a12154940767642941581, $a12439030798087402947, $a12442592456685404899, $a12676868499161577573, $a13190512685297411187, $a13201061909865993731, $a13240627709167346629, $a1348114338668042846, $a13488436752166948783, $a13781166516790073860, $a13945312121057736541, $a14107835402720776790, $a14251709134719960830, $a1440651458415708593, $a14685874349853149463, $a14778536506385295319, $a14853475258048435235, $a14984764264663054966, $a15035842609893410826, $a15091597671988575549, $a1524509087118018451, $a15498572541984179350, $a15717357575191736570, $a1580195430150997937, $a16196029566881918112, $a16235039932615691331, $a16535584809086930420, $a16827882760058655782, $a16947928209580517504, $a17945288690632224513, $a18084239623829554092, $a18100547566674084158, $a18148441154061044714, $a18181855203662190716, $a18363165982804349389, $a18367586167066130605, $a202214916133963101, $a2269173857227433350, $a2464725673981131758, $a2480367723304591635, $a2532452745942987758, $a2548583302683441616, $a2596498882697482933, $a2608411444094720729, $a2626637162768014744, $a2945744646617718812, $a3028971819481556012, $a3443446865985225755, $a3568460697379707690, $a3826097561732631257, $a3913954643872337278, $a411509175204078706, $a4287555272933708487, $a4507119548603116395, $a4910645986623324574, $a4924844817631943359, $a5154718082306775057, $a5725778633432857673, $a5915752004141595053, $a6290201146921788953, $a6379087888064551080, $a6480381032413798865, $a6937002112706621489, $a7228108612096671536, $a7360869138558469588, $a7709789839164300938, $a7750122077141603738, $a7970571692240646921, $a8335123182382710849, $a8449276449561422499, $a859969115225903002, $a868704743532850555, $a8796347983972862164, $a8865309346839741844, $a9031429284635959044, $a9055623764263513107, $a914642378985782992, $a9550124085778963684, $a9638343899169163746, $a9737436360988937620, $a9769903554508400075} && tcp && tcp.dst==53 && inport == @a14458084718464326979)": Syntax error at `$a12442592456685404899' expecting address set name. and Verified this bug on 4.8.0-0.nightly-2021-04-19-225513 attach the policy.yaml $ cat policy.yaml --- # Source: networkpolicies-config-values/charts/networkpolicies-config/templates/networkpolicies.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: stex-rd-networkpolicies-config-default-deny spec: podSelector: {} policyTypes: - Ingress --- # Source: networkpolicies-config-values/charts/networkpolicies-config/templates/networkpolicies.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: stex-rd-networkpolicies-config-allow-dns spec: podSelector: {} egress: - to: - namespaceSelector: {} ports: - protocol: TCP port: 53 - protocol: UDP port: 53 - protocol: TCP port: 5353 - protocol: UDP port: 5353 policyTypes: - Egress @Andy I don't think the large number of flows causes this per se - this bug is simple enough to be triggered by a small amount of flows -- it's the flows that are wrong! If you're still seeing something like this in the future after the fixes are rolled out, we can investigate. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |