Bug 2214454 - nft rules are not collected if the VMs are running in the node where must-gather is running
Summary: nft rules are not collected if the VMs are running in the node where must-gat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Logging
Version: 4.13.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 4.13.2
Assignee: Nahshon Unna-Tsameret
QA Contact: SATHEESARAN
URL:
Whiteboard:
: 2193081 (view as bug list)
Depends On:
Blocks: 2208641
TreeView+ depends on / blocked
 
Reported: 2023-06-13 03:17 UTC by nijin ashok
Modified: 2023-09-26 17:13 UTC (History)
4 users (show)

Fixed In Version: v4.13.1.rhel9-201
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-01 14:51:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt must-gather pull 182 0 None Merged Ensure pgrep only picks virt-launcher pid while collecting nft rules 2023-06-25 08:47:19 UTC
Red Hat Issue Tracker CNV-29804 0 None None None 2023-06-13 03:18:42 UTC
Red Hat Product Errata RHSA-2023:4421 0 None None None 2023-08-01 14:52:14 UTC

Description nijin ashok 2023-06-13 03:17:15 UTC 
Description of problem:

must-gather pod will be running oc exec -n  virt-handler -- /bin/bash -c "pgrep -f 'virt-launcher .*${vmuid}'" to get the pid of the virt-launcher to feed into nsenter. However, if the must-gather pod is running in the same node where VM is running, pgrep will also get this `oc exec pgrep` pid and will get two pids.

~~~
must-gather pod running in node openshift-master-orion-2

[root@dell-per7525-03 ~]# oc get pod -o wide
NAME                READY   STATUS    RESTARTS   AGE   IP            NODE                       NOMINATED NODE   READINESS GATES
must-gather-n2tzd   2/2     Running   0          16s   10.130.1.43   openshift-master-orion-2   <none>           <none> 

pgrep of VM with uuid 91a7d4cf-5607-47d8-81ee-702e2837b554 which is running in the same node will give two pids: :

# oc rsh must-gather-sxkkf
Defaulted container "gather" out of: gather, copy
sh-4.4# oc exec -n openshift-cnv virt-handler-25twk -- /bin/bash -c "pgrep -f 'virt-launcher .*91a7d4cf-5607-47d8-81ee-702e2837b554'"
Defaulted container "virt-handler" out of: virt-handler, virt-launcher (init)
1872042
3357272

3357272 is the oc exec process:

root     3360536  0.0  0.2 2151792 84060 pts/0   Sl+  03:03   0:00 oc exec -n openshift-cnv virt-handler-25twk -- /bin/bash -c pgrep -f 'virt-launcher .*91a7d4cf-5607-47d8-81ee-702e2837b554'
~~~

So nsenter will get two pids and the `nft list ruleset` will fail to collect.


Version-Release number of selected component (if applicable):

OpenShift Virtualization 4.13.0

How reproducible:

100%

Steps to Reproduce:

1. Run must-gather with vms_details:

# oc adm must-gather    --image=registry.redhat.io/container-native-virtualization/cnv-must-gather-rhel9:v4.13.0 -- /usr/bin/gather --vms_details

2. Check the collected nft rules for VMs which was running in the same node of must-gather pod and this will be empty:

"must-gather.local.3686294122690156338/registry-redhat-io-container-native-virtualization-cnv-must-gather-rhel9-sha256-b2193e480a95557ab4b377f3bbde6c111e7c7db2f9927dc18699debfa4d34da1/namespaces/nijin-cnv/vms/centos7-c4xa6uojyeu0osx3/virt-launcher-centos7-c4xa6uojyeu0osx3-q8llx.ruletables.txt" was empty.


Actual results:

nft rules are not collected if the VMs are running in the node where must-gather is running

Expected results:

It should collect nft rules.

Additional info:
Comment 1 Krzysztof Majcher 2023-06-20 12:44:07 UTC 
*** Bug 2193081 has been marked as a duplicate of this bug. ***
Comment 2 SATHEESARAN 2023-07-04 09:27:55 UTC 
Tested with CNV v4.13.2-rhel9-32, with "cnv-must-gather-rhel9:v4.13.2-5"

1. Created a VM running in 'node1'
2. Ran must-gather command with --node-name as 'node1'
# oc adm must-gather --node-name=c01-ss-4132-m6m46-worker-0-vszjt --image=registry-proxy.engineering.redhat.com/rh-osbs/container-native-virtualization-cnv-must-gather-rhel9:v4.13.2-5 -- /usr/bin/gather --vms_details

3. Once the 'must-gather' completed, checked for the contents of the rulestables.txt file is non-empty
# cat must-gather.local.4542196749137818555/registry-proxy-engineering-redhat-com-rh-osbs-container-native-virtualization-cnv-must-gather-rhel9-sha256-3dc7360aea4e3545957ce96b4d83db852f090443208261bc9a10880513fddf9e/namespaces/default/vms/fedora-khovtsowc0ighufq/virt-launcher-fedora-khovtsowc0ighufq-4v2t7.ruletables.txt 
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}
.
.

# ls -lt must-gather.local.4542196749137818555/registry-proxy-engineering-redhat-com-rh-osbs-container-native-virtualization-cnv-must-gather-rhel9-sha256-3dc7360aea4e3545957ce96b4d83db852f090443208261bc9a10880513fddf9e/namespaces/default/vms/fedora-khovtsowc0ighufq/virt-launcher-fedora-khovtsowc0ighufq-4v2t7.ruletables.txt 
-rw-r--r--. 1 cloud-user cloud-user 1660 Jul  4 05:15 must-gather.local.4542196749137818555/registry-proxy-engineering-redhat-com-rh-osbs-container-native-virtualization-cnv-must-gather-rhel9-sha256-3dc7360aea4e3545957ce96b4d83db852f090443208261bc9a10880513fddf9e/namespaces/default/vms/fedora-khovtsowc0ighufq/virt-launcher-fedora-khovtsowc0ighufq-4v2t7.ruletables.txt


With this information, verifying this bug
Comment 8 errata-xmlrpc 2023-08-01 14:51:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.5 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:4421
Note You need to log in before you can comment on or make changes to this bug.