1575929 – openvswitch-ovn-common v2.9.0 hangs configuring ssl if ssl configuraiton exists

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1575929 - openvswitch-ovn-common v2.9.0 hangs configuring ssl if ssl configuraiton exists

Summary: openvswitch-ovn-common v2.9.0 hangs configuring ssl if ssl configuraiton exists

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openvswitch
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Timothy Redaelli
QA Contact:	haidong li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1570384 1593252
TreeView+	depends on / blocked

Reported:	2018-05-08 10:29 UTC by Sandro Bonazzola
Modified:	2020-01-14 22:17 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openvswitch-2.9.0-53.el7fdn
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-08-15 13:53:04 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1570384	0	high	CLOSED	Engine-setup hangs on "Creating CA" with openvswitch-ovn-common v2.9.0	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2018:2432	0	None	None	None	2018-08-15 13:53:51 UTC

Internal Links: 1570384

Description Sandro Bonazzola 2018-05-08 10:29:10 UTC

Issue has been seen in oVirt / RHV deployment and reported in bug #1570384.
I've been told that openvswitch v 2.10 should already have a fix for this, please rebase on the new version.
I would suggest an async release for this.

Comment 2 Mark Michelson 2018-05-08 13:58:37 UTC

@Sandro, you say this is fixed in 2.10 (OVS master, I guess). Do you know which commit fixes this? The closest thing I've found is https://patchwork.ozlabs.org/project/openvswitch/list/?series=40928

which is not yet merged.

Comment 3 Mark Michelson 2018-05-11 12:56:04 UTC

Hi Sandro,

Lorenzo Bianconi gave me instructions on how to reproduce this outside of ovirt. What I can say right now is that the suspected patches to fix this (the ones I referenced earlier) appear NOT to fix this issue.

I am looking into it and will let you know when I have a fix.

Comment 4 Sandro Bonazzola 2018-05-14 14:31:58 UTC

Thanks Mark, we'll stay tuned.

Comment 5 Mark Michelson 2018-05-15 13:41:40 UTC

I believe I've found the cause of the problem. It's from a commit introduced in December.

The SSL table in the OVN northbound database has a constraint on it that it can have at most 1 row in it. A check was added in December that makes it so that if we are attempting to insert a row into the table when there is already a row present, then the insert will fail the verification step. This was intended to prevent race conditions where multiple clients might attempt to insert at the same time.

The problem is that when running 'ovn-nbctl set-ssl', this check causes the operation to fail. The set-ssl operation creates a transaction that is supposed to delete the current row in the SSL table and then insert a new one. The problem is that the check added in December is unaware that the delete is part of the transaction. Therefore, it fails the transaction because it thinks we are inserting into a table that already has its maximum amount of data in it.

There are essentially two issues:
1) The transaction should succeed instead of failing.
2) Even if the transaction fails, it should not cause a hang.

Comment 6 Mark Michelson 2018-05-17 17:19:02 UTC

I've submitted a patch upstream: https://patchwork.ozlabs.org/patch/915611/

I am moving this issue to POST.

Comment 7 Yaniv Lavi 2018-06-24 07:53:50 UTC

Can you backport this bug to OVS 2.9?
As OVS now in support in RHV, we need this fix urgently.

Comment 8 Mark Michelson 2018-06-25 12:11:53 UTC

I have sent a message to the upstream maintainer to please backport this to version 2.9 of OVS.

Comment 9 Mark Michelson 2018-06-25 20:32:12 UTC

Ben has backported the change to the OVS 2.9 branch. I'm setting the state of the issue to MODIFIED.

Comment 13 Timothy Redaelli 2018-08-10 13:45:33 UTC

The openvwitch component is delivered through the fast datapath channel, it is not documented in release notes.

Comment 15 errata-xmlrpc 2018-08-15 13:53:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2432

Note You need to log in before you can comment on or make changes to this bug.