Bug 1506332 - Reduce node iptables logging in V(2)
Summary: Reduce node iptables logging in V(2)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.7.0
Assignee: Phil Cameron
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-25 18:05 UTC by Eric Paris
Modified: 2017-11-28 22:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: no doc changes Consequence: Fix: Result:
Clone Of:
Environment:
Last Closed: 2017-11-28 22:19:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 17060 0 None None None 2017-10-26 19:46:49 UTC
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Eric Paris 2017-10-25 18:05:05 UTC 
the node in V(2) loses 80%+ of its logs because of spam.

Please eliminate the list of actual iptables rules from being logged at V(2) so more useful messages can come through.
Comment 1 Ben Bennett 2017-10-26 19:05:40 UTC 
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: I1026 19:03:01.694600  119323 proxier.go:1602] Rules:
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: *filter
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: :KUBE-SERVICES - [0:0]
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "trys/tc8:8443-tcp has no endpoints" -m tcp -p tcp -d 172.30.141.35/32 --dport 8443 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "maew/maew:8080-tcp has no endpoints" -m tcp -p tcp -d 172.30.133.108/32 --dport 8080 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "moody-backend/moody:8080-tcp has no endpoints" -m tcp -p tcp -d 172.30.196.168/32 --dport 8080 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "open5/ruby-ex:8080-tcp has no endpoints" -m tcp -p tcp -d 172.30.27.112/32 --dport 8080 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "hongz/mongodb:mongodb has no endpoints" -m tcp -p tcp -d 172.30.29.86/32 --dport 27017 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "dsntest12/cakephp-mysql-persistent:web has no endpoints" -m tcp -p tcp -d 172.30.101.200/32 --dport 8080 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "rfd/orbit:8080-tcp has no endpoints" -m tcp -p tcp -d 172.30.209.225/32 --dport 8080 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "deliriy-tmp/apiserver:secure has no endpoints" -m tcp -p tcp -d 172.30.1.2/32 --dport 443 -j REJECT
Oct 26 19:03:01 ip-172-31-21-249.ca-central-1.compute.internal atomic-openshift-node[119323]: -A KUBE-SERVICES -m comment --comment "611pro/pro611:8080-tcp has no endpoints" -m tcp -p tcp -d 172.30.85.236/32 --dport 8080 -j REJECT

...
Comment 2 Ben Bennett 2017-10-26 19:47:03 UTC 
PR https://github.com/openshift/origin/issues/17060
Comment 3 openshift-github-bot 2017-10-29 12:54:10 UTC 
Commits pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/74c77fc0e12485be8dca6dd6580891f5224ad565
Reduce node iptables logging in V(2)

bug: 1506332
https://bugzilla.redhat.com/show_bug.cgi?id=1506332

https://github.com/openshift/origin/commit/92cabfbec15f9de10d5e7cf0160defc976c82293
Merge pull request #17060 from pecameron/bz1506332

Automatic merge from submit-queue.

UPSTREAM: 54700: Reduce node iptables logging in V(2)

bug: 1506332
https://bugzilla.redhat.com/show_bug.cgi?id=1506332
Comment 5 Meng Bo 2017-11-03 11:40:12 UTC 
Tested on ocp v3.7.0-0.190.0

The iptables restore failure will not print the rule list.

Nov 03 07:31:49 qe-bmeng-37-new-master-etcd-nfs-1.c.openshift-gce-devel.internal atomic-openshift-node[11969]: E1103 07:31:49.977839   11969 proxier.go:1601] Failed to execute iptables-restore: exit status 4 (Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Nov 03 07:31:49 qe-bmeng-37-new-master-etcd-nfs-1.c.openshift-gce-devel.internal atomic-openshift-node[11969]: )
Nov 03 07:31:49 qe-bmeng-37-new-master-etcd-nfs-1.c.openshift-gce-devel.internal atomic-openshift-node[11969]: I1103 07:31:49.977869   11969 proxier.go:993] syncProxyRules took 2.360046661s
Nov 03 07:31:49 qe-bmeng-37-new-master-etcd-nfs-1.c.openshift-gce-devel.internal atomic-openshift-node[11969]: I1103 07:31:49.977884   11969 bounded_frequency_runner.go:221] sync-runner: ran, next possible in 0s, periodic in 30s
Nov 03 07:31:50 qe-bmeng-37-new-master-etcd-nfs-1.c.openshift-gce-devel.internal atomic-openshift-node[11969]: I1103 07:31:50.062045   11969 generic.go:183] GenericPLEG: Relisting
Comment 8 errata-xmlrpc 2017-11-28 22:19:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Note You need to log in before you can comment on or make changes to this bug.