Bug 1902054 - [sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should allow multicast traffic in namespaces where it is enabled
Summary: [sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-m...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.z
Assignee: Aniket Bhat
QA Contact: Weibin Liang
URL:
Whiteboard:
Depends On: 1901675
Blocks: 1930554 1934697
TreeView+ depends on / blocked
 
Reported: 2020-11-26 16:44 UTC by Joel Speed
Modified: 2021-03-03 17:08 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1901675
: 1930554 (view as bug list)
Environment:
[sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should allow multicast traffic in namespaces where it is enabled [sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should block multicast traffic in namespaces where it is disabled
Last Closed: 2021-02-22 13:54:32 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 25825 0 None closed Bug 1902054: Update multicast test image for use in release-4.6 2021-02-15 10:42:37 UTC
Red Hat Product Errata RHBA-2021:0510 0 None None None 2021-02-22 13:54:49 UTC

Description Joel Speed 2020-11-26 16:44:35 UTC
+++ This bug was initially created as a clone of Bug #1901675 +++

[Filing under multus, because it sounds most relevant, please move if wrong component/subcomponent]

test:
[sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should allow multicast traffic in namespaces where it is enabled 

is failing frequently in CI, see search results:
https://search.ci.openshift.org/?maxAge=168h&context=1&type=bug%2Bjunit&name=&maxMatches=5&maxBytes=20971520&groupBy=job&search=%5C%5Bsig-network%5C%5D+multicast+when+using+one+of+the+plugins+%27redhat%2Fopenshift-ovs-multitenant%2C+redhat%2Fopenshift-ovs-networkpolicy%27+should+allow+multicast+traffic+in+namespaces+where+it+is+enabled


https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ocp-4.7-e2e-vsphere-upi/1331542098637230080

Seems to fail most often because of:
[sig-instrumentation][sig-builds][Feature:Builds] Prometheus when installed on the cluster should start and expose a secured proxy and verify build metrics [Suite:openshift/conformance/parallel]
[sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should allow multicast traffic in namespaces where it is enabled [Suite:openshift/conformance/parallel]

Failure log from CI:
: [sig-imageregistry][Feature:ImageLayers] Image layer subresource should return layers from tagged images [Suite:openshift/conformance/parallel] expand_more 	17s
: [sig-cli] Kubectl client Kubectl copy should copy a file from a running Pod [Suite:openshift/conformance/parallel] [Suite:k8s] expand_more 	5m3s
: [sig-cli] oc debug ensure it works with image streams [Suite:openshift/conformance/parallel] expand_more 	1m17s
: [sig-network][Feature:Router] The HAProxy router should serve the correct routes when scoped to a single namespace and label set [Suite:openshift/conformance/parallel] expand_more 	3m27s
: [sig-network][Feature:Router] The HAProxy router should override the route host for overridden domains with a custom value [Suite:openshift/conformance/parallel] expand_more 	3m26s
: [sig-imageregistry][Feature:ImageAppend] Image append should create images by appending them [Suite:openshift/conformance/parallel] expand_more 	24s
: [sig-imageregistry][Feature:Image] oc tag should preserve image reference for external images [Suite:openshift/conformance/parallel] expand_more 	5m18s
: [sig-apps][Feature:Jobs] Users should be able to create and run a job in a user project [Suite:openshift/conformance/parallel] expand_more 	3m18s
: [sig-network][Feature:Router] The HAProxy router should support reencrypt to services backed by a serving certificate automatically [Suite:openshift/conformance/parallel] expand_more 	3m25s
: [sig-builds][Feature:Builds] Optimized image builds should succeed [Suite:openshift/conformance/parallel] expand_more 	2m19s
: [sig-builds][Feature:Builds][valueFrom] process valueFrom in build strategy environment variables should successfully resolve valueFrom in docker build environment variables [Suite:openshift/conformance/parallel] expand_more 	2m35s
: [sig-auth][Feature:SecurityContextConstraints] TestPodDefaultCapabilities [Suite:openshift/conformance/parallel] expand_more 	3m17s
: [sig-cluster-lifecycle] Pods cannot access the /config/master API endpoint [Suite:openshift/conformance/parallel] expand_more 	3m17s
: [sig-apps][Feature:DeploymentConfig] deploymentconfigs when tagging images should successfully tag the deployed image [Suite:openshift/conformance/parallel] expand_more 	5m19s
: [sig-imageregistry][Feature:Image] oc tag should change image reference for internal images [Suite:openshift/conformance/parallel] expand_more 	18s
: [sig-imageregistry][Feature:ImageLookup] Image policy should perform lookup when the Deployment gets the resolve-names annotation later [Suite:openshift/conformance/parallel] expand_more 	17s
: [sig-imageregistry][Feature:Image] oc tag should work when only imagestreams api is available [Suite:openshift/conformance/parallel] expand_more 	5m18s
: [sig-cli] oc debug deployment configs from a build [Suite:openshift/conformance/parallel] expand_more 	5m18s
: [sig-network][Feature:Router] The HAProxy router should expose prometheus metrics for a route [Suite:openshift/conformance/parallel] expand_more 	1m37s
: [sig-auth][Feature:LDAP] LDAP IDP should authenticate against an ldap server [Suite:openshift/conformance/parallel] expand_more 	5m18s
: [sig-imageregistry][Feature:ImageLookup] Image policy should perform lookup when the object has the resolve-names annotation [Suite:openshift/conformance/parallel] expand_more 	18s
: [sig-imageregistry][Feature:ImageExtract] Image extract should extract content from an image [Suite:openshift/conformance/parallel] expand_more 	20s
: [sig-auth][Feature:LDAP] LDAP should start an OpenLDAP test server [Suite:openshift/conformance/parallel] expand_more 	5m18s
: [sig-instrumentation][sig-builds][Feature:Builds] Prometheus when installed on the cluster should start and expose a secured proxy and verify build metrics [Suite:openshift/conformance/parallel] expand_more 	2m46s
: [sig-cli] oc rsh rsh specific flags should work well when access to a remote shell [Suite:openshift/conformance/parallel] expand_more 	4m16s
: [sig-network][Feature:Router] The HAProxy router should run even if it has no access to update status [Suite:openshift/conformance/parallel] expand_more 	3m22s
: [sig-builds][Feature:Builds] Multi-stage image builds should succeed [Suite:openshift/conformance/parallel] expand_more 	2m19s
: [sig-network] Conntrack should be able to preserve UDP traffic when server pod cycles for a NodePort service [Suite:openshift/conformance/parallel] [Suite:k8s] expand_more 	1m20s
: [sig-builds][Feature:Builds] prune builds based on settings in the buildconfig should prune completed builds based on the successfulBuildsHistoryLimit setting [Suite:openshift/conformance/parallel] expand_more 	2m27s
: [sig-imageregistry][Feature:ImageLookup] Image policy should update standard Kube object image fields when local names are on [Suite:openshift/conformance/parallel] expand_more 	17s
: [sig-builds][Feature:Builds] s2i build with a root user image should create a root build and pass with a privileged SCC [Suite:openshift/conformance/parallel] expand_more 	17s
: [sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should block multicast traffic in namespaces where it is disabled [Suite:openshift/conformance/parallel] expand_more 	5m18s
: [sig-imageregistry][Feature:ImageTriggers] Annotation trigger reconciles after the image is overwritten [Suite:openshift/conformance/parallel] expand_more 	46s
: [sig-network][Feature:Router] The HAProxy router should serve routes that were created from an ingress [Suite:openshift/conformance/parallel] expand_more 	3m56s
: [sig-network][Feature:Router] The HAProxy router should override the route host with a custom value [Suite:openshift/conformance/parallel] expand_more 	3m26s
: [sig-network][Feature:Router] The HAProxy router should serve a route that points to two services and respect weights [Suite:openshift/conformance/parallel] expand_more 	3m22s
: [sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should allow multicast traffic in namespaces where it is enabled [Suite:openshift/conformance/parallel] expand_more 	5m20s
: [sig-imageregistry][Feature:ImageInfo] Image info should display information about images [Suite:openshift/conformance/parallel] expand_more 	27s
: [sig-builds][Feature:Builds] custom build with buildah being created from new-build should complete build with custom builder image [Suite:openshift/conformance/parallel] expand_more 	3m21s
: [sig-builds][Feature:Builds] build can reference a cluster service with a build being created from new-build should be able to run a build that references a cluster service [Suite:openshift/conformance/parallel] expand_more 	20s
: Run multi-stage test e2e-vsphere-upi - e2e-vsphere-upi-openshift-e2e-test container test expand_more

--- Additional comment from Lokesh Mandvekar on 2020-11-25 19:51:37 UTC ---

Same log URL for test: [sig-network] multicast when using one of the plugins 'redhat/openshift-ovs-multitenant, redhat/openshift-ovs-networkpolicy' should block multicast traffic in namespaces where it is disabled

Comment 6 Weibin Liang 2021-01-04 19:34:42 UTC
Look like the PR is still not merged into v4.6

https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ocp-4.6-e2e-vsphere-upi/1346097930364260352

Multicast pod still try to pull image from docker.io

Jan  4 15:00:08.695: INFO: At 2021-01-04 14:56:14 +0000 UTC - event for multicast-3: {kubelet compute-1} Failed: Failed to pull image "openshift/test-multicast": rpc error: code = Unknown desc = Error reading manifest latest in docker.io/openshift/test-multicast: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

Comment 7 Aniket Bhat 2021-01-20 19:51:06 UTC
This test is flaky and fails in the AfterSuite actions:

Jan 14 04:17:30.739: INFO: Running AfterSuite actions on node 1
fail [github.com/openshift/origin/test/extended/networking/multicast.go:52]: Expected success, but got an error:
    <*exec.ExitError | 0xc002d52d40>: {
        ProcessState: {
            pid: 26544,
            status: 256,
            rusage: {
                Utime: {Sec: 0, Usec: 164269},
                Stime: {Sec: 0, Usec: 25730},
                Maxrss: 157780,
                Ixrss: 0,
                Idrss: 0,
                Isrss: 0,
                Minflt: 2535,
                Majflt: 0,
                Nswap: 0,
                Inblock: 0,
                Oublock: 0,
                Msgsnd: 0,
                Msgrcv: 0,
                Nsignals: 0,
                Nvcsw: 800,
                Nivcsw: 6,
            },
        },
        Stderr: nil,
    }
    exit status 1

Will investigate separately, but the docker pull issue is now fixed.

Comment 12 errata-xmlrpc 2021-02-22 13:54:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0510


Note You need to log in before you can comment on or make changes to this bug.