Bug 1851903 - kuryr cannot access namespaces in /var/run/netns properly
Summary: kuryr cannot access namespaces in /var/run/netns properly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.4.z
Assignee: Michał Dulko
QA Contact: GenadiC
URL:
Whiteboard:
Depends On: 1825339 1831112
Blocks: 1838116
TreeView+ depends on / blocked
 
Reported: 2020-06-29 11:16 UTC by OpenShift BugZilla Robot
Modified: 2020-07-21 10:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-21 10:31:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 684 None closed [release-4.4] Bug 1851903: Kuryr: Mount /run/netns to ensure netns access 2020-07-14 18:58:52 UTC
Red Hat Product Errata RHBA-2020:2913 None None None 2020-07-21 10:31:41 UTC

Comment 3 Peter Hunt 2020-07-06 13:53:57 UTC
*** Bug 1825339 has been marked as a duplicate of this bug. ***

Comment 4 rlobillo 2020-07-07 10:42:00 UTC
cannot be verified until https://github.com/openshift/machine-config-operator/pull/1871 is included in OCP4.4 nightlies.

Comment 5 rlobillo 2020-07-07 15:32:23 UTC
back to MODIFIED until the dependent bugzilla is resolved

Comment 9 rlobillo 2020-07-10 08:46:26 UTC
verified on OCP4.4.0-0.nightly-2020-07-09-161409 on OSP16.1 with OVN (RHOS-16.1-RHEL-8-20200701.n.0).

# Installation successful: 

(overcloud) [stack@undercloud-0 ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.4.0-0.nightly-2020-07-09-161409   True        False         9h      Cluster version is 4.4.0-0.nightly-2020-07-09-161409


# CNI pod can access to worker netns:

(overcloud) [stack@undercloud-0 ~]$ oc get pods -n openshift-kuryr -o wide
NAME                                READY   STATUS    RESTARTS   AGE   IP             NODE                        NOMINATED NODE   READINESS GATES
kuryr-cni-7gxp9                     1/1     Running   1          9h    10.196.0.181   ostest-sttrc-worker-5xzcr   <none>           <none>
kuryr-cni-crk4j                     1/1     Running   0          9h    10.196.0.61    ostest-sttrc-worker-w7bmq   <none>           <none>
kuryr-cni-kc4j4                     1/1     Running   0          9h    10.196.2.6     ostest-sttrc-master-1       <none>           <none>
kuryr-cni-n9qv7                     1/1     Running   2          9h    10.196.2.20    ostest-sttrc-master-2       <none>           <none>
kuryr-cni-tm2kn                     1/1     Running   0          9h    10.196.0.208   ostest-sttrc-worker-cr8k7   <none>           <none>
kuryr-cni-trch9                     1/1     Running   1          9h    10.196.1.209   ostest-sttrc-master-0       <none>           <none>
kuryr-controller-6d95b6c684-fgcd9   1/1     Running   2          9h    10.196.2.6     ostest-sttrc-master-1       <none>           <none>

(overcloud) [stack@undercloud-0 ~]$ ssh -J core@10.46.22.116 core@10.196.0.181 ip netns list | sort
Warning: Permanently added '10.46.22.116' (ECDSA) to the list of known hosts.
Warning: Permanently added '10.196.0.181' (ECDSA) to the list of known hosts.
09e3ad5b-9de6-4dd2-a93a-d70bdc3c258e (id: 5)
209dfef7-6ab8-4f95-949f-9b471bf7ec82 (id: 0)
279e594b-fde8-405e-8bc6-ac6389f911f1 (id: 13)
3a7e1310-63fd-4b6b-8516-bbe2f49286be (id: 17)
55fe93ef-4b08-4f23-92b9-8f75713cf516 (id: 14)
707d075f-7787-4666-966b-721d568fdf03 (id: 12)
878e0f21-a9cf-4f4e-8b5c-ee0ccd1bffe9 (id: 3)
9cdcaf79-1240-42c4-ab8d-d40fcc62fb62 (id: 11)
a4ad61bb-0995-4f61-abd0-58a46d341988 (id: 2)
a66fba3e-5b7b-4bda-acf1-e5395001f76c
af372a84-77b0-4d66-a47e-b1ecca1d8117 (id: 16)
bb2e63e9-02bb-4049-bf5d-605a449a7cba (id: 1)
c06df8cc-3cab-41a1-9dcd-fcd2b88be475 (id: 4)
d66b0761-d939-48a9-94ff-2b39d8b306fe (id: 10)
d70b46c8-02ca-4f07-bbd3-80e0470abfc9 (id: 9)

(overcloud) [stack@undercloud-0 ~]$ oc rsh -n openshift-kuryr kuryr-cni-7gxp9 ls -l /var/run/netns | awk '{print $9}'| sort 
09e3ad5b-9de6-4dd2-a93a-d70bdc3c258e
209dfef7-6ab8-4f95-949f-9b471bf7ec82
279e594b-fde8-405e-8bc6-ac6389f911f1
3a7e1310-63fd-4b6b-8516-bbe2f49286be
55fe93ef-4b08-4f23-92b9-8f75713cf516
707d075f-7787-4666-966b-721d568fdf03
878e0f21-a9cf-4f4e-8b5c-ee0ccd1bffe9
9cdcaf79-1240-42c4-ab8d-d40fcc62fb62
a4ad61bb-0995-4f61-abd0-58a46d341988
a66fba3e-5b7b-4bda-acf1-e5395001f76c
af372a84-77b0-4d66-a47e-b1ecca1d8117
bb2e63e9-02bb-4049-bf5d-605a449a7cba
c06df8cc-3cab-41a1-9dcd-fcd2b88be475
d66b0761-d939-48a9-94ff-2b39d8b306fe
d70b46c8-02ca-4f07-bbd3-80e0470abfc9

# kuryr-cni PODs mount namespaces on /run/netns directory:

(overcloud) [stack@undercloud-0 ~]$ oc get pods -n openshift-kuryr -o yaml | grep -e mountPath:.*netns -e 'name: kuryr-cni-'
    name: kuryr-cni-7gxp9
      - mountPath: /run/netns
    name: kuryr-cni-crk4j
      - mountPath: /run/netns
    name: kuryr-cni-kc4j4
      - mountPath: /run/netns
    name: kuryr-cni-n9qv7
      - mountPath: /run/netns
    name: kuryr-cni-tm2kn
      - mountPath: /run/netns
    name: kuryr-cni-trch9
      - mountPath: /run/netns

# and there is a link from /run/ to /var/ making it accesible through /var/run/netns:

(overcloud) [stack@undercloud-0 ~]$ for i in $(oc get pods -n openshift-kuryr -l app=kuryr-cni -o NAME); do oc rsh -n openshift-kuryr $i ls -larth /var/run; done
lrwxrwxrwx. 1 root root 6 Jun 22 07:26 /var/run -> ../run
lrwxrwxrwx. 1 root root 6 Jun 22 07:26 /var/run -> ../run
lrwxrwxrwx. 1 root root 6 Jun 22 07:26 /var/run -> ../run
lrwxrwxrwx. 1 root root 6 Jun 22 07:26 /var/run -> ../run
lrwxrwxrwx. 1 root root 6 Jun 22 07:26 /var/run -> ../run
lrwxrwxrwx. 1 root root 6 Jun 22 07:26 /var/run -> ../run

Comment 11 errata-xmlrpc 2020-07-21 10:31:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2913


Note You need to log in before you can comment on or make changes to this bug.