Bug 1906650 - Cannot collect network policy, EgressFirewall, egressip logs with gather_network_logs
Summary: Cannot collect network policy, EgressFirewall, egressip logs with gather_netw...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Andrew Stoycos
QA Contact: huirwang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-11 03:09 UTC by huirwang
Modified: 2021-02-24 15:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:41:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 919 0 None closed Bug 1906650: Add NetworkPolicy, EgressIP, and EgressFirewall to related-objects 2021-01-05 15:04:02 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:42:24 UTC

Description huirwang 2020-12-11 03:09:20 UTC
How reproducible:
Always

Steps to Reproduce:
1. 

oc adm must-gather -- gather_network_logs


Actual results:
[must-gather-zrwhn] POD WARNING: Collecting network logs on ALL linux nodes in your cluster. This could take a long time.
[must-gather-zrwhn] POD /usr/bin/gather_network_logs: line 235: [-z: command not found
[must-gather-zrwhn] POD INFO: ovn-ipsec is enabled, tunnel traffic should be encryted
[must-gather-zrwhn] POD INFO: Gathering ovn-ipsec data
[must-gather-zrwhn] POD INFO: Gathering Multus data
[must-gather-zrwhn] POD INFO: Gathering ovn-kubernetes node data
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD INFO: Gathering ovn-kubernetes master data
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD tar: Removing leading `/' from member names
[must-gather-zrwhn] POD INFO: Waiting for node network log collection to complete ...

After above commands
Check the network_logs folder, there is no policies, egressFirewalls, egressips folders, no such logs.


Expected results:
Should collect policies, egressFirewalls, egressips logs successfully.



Additional info:
Besides above issue,one more note:

For EgressFirewall, the object name is different between sdn and ovn.
In SDN , it is called egressnetworkpolicy, please see below example.
oc describe egressnetworkpolicy  policy-test -n test
Name:		policy-test
Namespace:	test
Created:	15 seconds ago
Labels:		<none>
Annotations:	<none>
Rule:		Allow to www.facebook.com
Rule:		Deny to 0.0.0.0/0
In OVN, it is called egressfirewall, the current way is ok.

For EgressIP, it is also different between sdn and ovn.
In SDN, I think maybe collect logs as:
oc get hostsubnet
It is better to confirm with DEV what egressIP logs need to collect in SDN.

In OVN,  EgressIP object does not belongs to any namespace, it is cluster wide resource. So we don't need to execute "oc describe EgressIP" in each namespace.
oc describe EgressIP -n "${NAMESPACE}" \
 > "${EGRESSIP_LOG_PATH}"/"${NAMESPACE}"_EgressIPs 2>&1 & PIDS=($!)

Comment 1 Andrew Stoycos 2020-12-11 14:43:36 UTC
Hey there, 

So I had implemented this feature within gather-network-logs (https://github.com/openshift/must-gather/pull/187), but I saw some scale issues with it and therefore reverted the work.  Instead these objects will be collected via the "Related-objects" mechanism which I have yet to implement.  This will be a good method for tracking that work, thanks for creating. 

- Andrew

Comment 6 errata-xmlrpc 2021-02-24 15:41:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.