Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1575929

Summary: openvswitch-ovn-common v2.9.0 hangs configuring ssl if ssl configuraiton exists
Product: Red Hat Enterprise Linux 7 Reporter: Sandro Bonazzola <sbonazzo>
Component: openvswitchAssignee: Timothy Redaelli <tredaelli>
Status: CLOSED ERRATA QA Contact: haidong li <haili>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.5CC: atragler, danken, haili, kfida, mmichels, myakove, pvauter, rkhan, tredaelli, ylavi
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch-2.9.0-53.el7fdn Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-15 13:53:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1570384, 1593252    

Description Sandro Bonazzola 2018-05-08 10:29:10 UTC 
Issue has been seen in oVirt / RHV deployment and reported in bug #1570384.
I've been told that openvswitch v 2.10 should already have a fix for this, please rebase on the new version.
I would suggest an async release for this.
Comment 2 Mark Michelson 2018-05-08 13:58:37 UTC 
@Sandro, you say this is fixed in 2.10 (OVS master, I guess). Do you know which commit fixes this? The closest thing I've found is https://patchwork.ozlabs.org/project/openvswitch/list/?series=40928

which is not yet merged.
Comment 3 Mark Michelson 2018-05-11 12:56:04 UTC 
Hi Sandro,

Lorenzo Bianconi gave me instructions on how to reproduce this outside of ovirt. What I can say right now is that the suspected patches to fix this (the ones I referenced earlier) appear NOT to fix this issue.

I am looking into it and will let you know when I have a fix.
Comment 4 Sandro Bonazzola 2018-05-14 14:31:58 UTC 
Thanks Mark, we'll stay tuned.
Comment 5 Mark Michelson 2018-05-15 13:41:40 UTC 
I believe I've found the cause of the problem. It's from a commit introduced in December.

The SSL table in the OVN northbound database has a constraint on it that it can have at most 1 row in it. A check was added in December that makes it so that if we are attempting to insert a row into the table when there is already a row present, then the insert will fail the verification step. This was intended to prevent race conditions where multiple clients might attempt to insert at the same time.

The problem is that when running 'ovn-nbctl set-ssl', this check causes the operation to fail. The set-ssl operation creates a transaction that is supposed to delete the current row in the SSL table and then insert a new one. The problem is that the check added in December is unaware that the delete is part of the transaction. Therefore, it fails the transaction because it thinks we are inserting into a table that already has its maximum amount of data in it.

There are essentially two issues:
1) The transaction should succeed instead of failing.
2) Even if the transaction fails, it should not cause a hang.
Comment 6 Mark Michelson 2018-05-17 17:19:02 UTC 
I've submitted a patch upstream: https://patchwork.ozlabs.org/patch/915611/

I am moving this issue to POST.
Comment 7 Yaniv Lavi 2018-06-24 07:53:50 UTC 
Can you backport this bug to OVS 2.9?
As OVS now in support in RHV, we need this fix urgently.
Comment 8 Mark Michelson 2018-06-25 12:11:53 UTC 
I have sent a message to the upstream maintainer to please backport this to version 2.9 of OVS.
Comment 9 Mark Michelson 2018-06-25 20:32:12 UTC 
Ben has backported the change to the OVS 2.9 branch. I'm setting the state of the issue to MODIFIED.
Comment 13 Timothy Redaelli 2018-08-10 13:45:33 UTC 
The openvwitch component is delivered through the fast datapath channel, it is not documented in release notes.
Comment 15 errata-xmlrpc 2018-08-15 13:53:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2432