Bug 1626207 - migrate-network-policy.sh needs better error handling
Summary: migrate-network-policy.sh needs better error handling
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Dan Winship
QA Contact: Meng Bo
Depends On:
TreeView+ depends on / blocked
Reported: 2018-09-06 17:55 UTC by Max Whittingham
Modified: 2019-06-04 10:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:40:34 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Origin (Github) 20618 0 None None None 2018-10-09 15:42:35 UTC
Origin (Github) 21210 0 None None None 2018-10-10 14:26:54 UTC
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:40:43 UTC

Description Max Whittingham 2018-09-06 17:55:32 UTC
Description of problem:
    If you have a stray NetNamespace object without a corresponding Namespace, the migration script will fail when trying to create a NetworkPolicy in that namespace:

     Error from server (NotFound): error when creating "STDIN":
     namespaces "gsnvc" not found

    If you run the migration script, then run the unmigration script, then run the migration script again, it will fail:

     Error from server (AlreadyExists): error when creating "STDIN":
     networkpolicies.extensions "default-deny" already exists

Expected results:
migrate-network-policy.sh should be able to be run idempotently, failing midway through should not prevent subsequent runs.

Comment 2 Casey Callendrello 2018-10-09 18:44:06 UTC
Dan, can you take a look?

Comment 3 Dan Winship 2018-10-10 14:26:55 UTC

Comment 4 Weibin Liang 2018-12-05 20:00:28 UTC
Used latest migrate-network-policy.sh and no error message showed up any more when tested in v3.10.83.

[root@qe-weliang-310master-etcd-nfs-1 ~]# ./policy.sh 
Deleting orphan NetNamespace 'weibin-testing':
    apiVersion: network.openshift.io/v1
    kind: NetNamespace
      creationTimestamp: 2018-12-05T19:36:34Z
      name: weibin-testing
      resourceVersion: "50534"
      selfLink: /apis/network.openshift.io/v1/netnamespaces/weibin-testing
      uid: 12d64134-f8c5-11e8-b1be-fa163e4add6f
    netid: 3333
    netname: weibin-testing
netnamespace.network.openshift.io "weibin-testing" deleted

NAMESPACE: default
Namespace is global: adding label legacy-netid=0

NAMESPACE: hostports

NAMESPACE: install-test

NAMESPACE: kube-public

NAMESPACE: kube-service-catalog
Namespace is global: adding label legacy-netid=0

NAMESPACE: kube-system

NAMESPACE: management-infra

NAMESPACE: my-namespace

NAMESPACE: openshift

NAMESPACE: openshift-ansible-service-broker

NAMESPACE: openshift-infra

NAMESPACE: openshift-logging

NAMESPACE: openshift-node

NAMESPACE: openshift-sdn

NAMESPACE: openshift-template-service-broker

NAMESPACE: openshift-web-console


Renumbering formerly-shared namespaces: kube-service-catalog
[root@qe-weliang-310master-etcd-nfs-1 ~]# oc version
oc v3.10.83
kubernetes v1.10.0+b81c8f8
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://qe-weliang-310master-etcd-nfs-1.int.1205-fxp.qe.rhcloud.com:8443
openshift v3.10.83
kubernetes v1.10.0+b81c8f8
[root@qe-weliang-310master-etcd-nfs-1 ~]#

Comment 7 errata-xmlrpc 2019-06-04 10:40:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.