Bug 1484133 - 3.4 check for and use new iptables-restore 'wait' argument
Summary: 3.4 check for and use new iptables-restore 'wait' argument
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.4.1
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 3.4.z
Assignee: Ben Bennett
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-22 19:06 UTC by Dan Winship
Modified: 2017-09-07 19:13 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: the iptables proxy was not properly locking its use of iptables. Consequence: the iptables proxy could conflict with docker and the openshift-node process and cause a failure to start containers. Fix: the iptables proxy now locks its use of iptables. Result: pod creation failures due to improper locking of iptables should no longer occur
Clone Of: 1481782
Environment:
Last Closed: 2017-09-07 19:13:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3059761 0 None None None 2017-08-22 19:06:49 UTC
Red Hat Product Errata RHBA-2017:2670 0 normal SHIPPED_LIVE OpenShift Container Platform 3.5 and 3.4 bug fix update 2017-09-07 23:13:17 UTC

Comment 1 Dan Winship 2017-08-22 19:07:25 UTC 
https://github.com/openshift/ose/pull/847
Comment 3 Yan Du 2017-08-30 07:32:48 UTC 
Test on OCP3.4+rhel7.3 /OCP3.4+rhel7.4
oc v3.4.1.44.17
kubernetes v1.4.0+776c994
iptables v1.4.21

Use an infinite loop to keep creating services which have same endpoint from master side.

On the node side, check the process which is opening the /run/xtables.lock file.

[root@ip-172-18-1-166 ~]# while true ; do lsof +c0 /run/xtables.lock ; done
COMMAND            PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 130893 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 438 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 451 root    3r   REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 501 root    3r   REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 530 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 559 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 630 root    3rW  REG   0,18        0 25053 /run/xtables.lock
COMMAND         PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
iptables-restor 645 root    3rW  REG   0,18        0 25053 /run/xtables.lock

And no "Resource temporarily unavailable (exit status 4)" in node log.
Comment 5 errata-xmlrpc 2017-09-07 19:13:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2670
Note You need to log in before you can comment on or make changes to this bug.