Description of problem: must-gather pod will be running oc exec -n virt-handler -- /bin/bash -c "pgrep -f 'virt-launcher .*${vmuid}'" to get the pid of the virt-launcher to feed into nsenter. However, if the must-gather pod is running in the same node where VM is running, pgrep will also get this `oc exec pgrep` pid and will get two pids. ~~~ must-gather pod running in node openshift-master-orion-2 [root@dell-per7525-03 ~]# oc get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES must-gather-n2tzd 2/2 Running 0 16s 10.130.1.43 openshift-master-orion-2 <none> <none> pgrep of VM with uuid 91a7d4cf-5607-47d8-81ee-702e2837b554 which is running in the same node will give two pids: : # oc rsh must-gather-sxkkf Defaulted container "gather" out of: gather, copy sh-4.4# oc exec -n openshift-cnv virt-handler-25twk -- /bin/bash -c "pgrep -f 'virt-launcher .*91a7d4cf-5607-47d8-81ee-702e2837b554'" Defaulted container "virt-handler" out of: virt-handler, virt-launcher (init) 1872042 3357272 3357272 is the oc exec process: root 3360536 0.0 0.2 2151792 84060 pts/0 Sl+ 03:03 0:00 oc exec -n openshift-cnv virt-handler-25twk -- /bin/bash -c pgrep -f 'virt-launcher .*91a7d4cf-5607-47d8-81ee-702e2837b554' ~~~ So nsenter will get two pids and the `nft list ruleset` will fail to collect. Version-Release number of selected component (if applicable): OpenShift Virtualization 4.13.0 How reproducible: 100% Steps to Reproduce: 1. Run must-gather with vms_details: # oc adm must-gather --image=registry.redhat.io/container-native-virtualization/cnv-must-gather-rhel9:v4.13.0 -- /usr/bin/gather --vms_details 2. Check the collected nft rules for VMs which was running in the same node of must-gather pod and this will be empty: "must-gather.local.3686294122690156338/registry-redhat-io-container-native-virtualization-cnv-must-gather-rhel9-sha256-b2193e480a95557ab4b377f3bbde6c111e7c7db2f9927dc18699debfa4d34da1/namespaces/nijin-cnv/vms/centos7-c4xa6uojyeu0osx3/virt-launcher-centos7-c4xa6uojyeu0osx3-q8llx.ruletables.txt" was empty. Actual results: nft rules are not collected if the VMs are running in the node where must-gather is running Expected results: It should collect nft rules. Additional info:
*** Bug 2193081 has been marked as a duplicate of this bug. ***
Tested with CNV v4.13.2-rhel9-32, with "cnv-must-gather-rhel9:v4.13.2-5" 1. Created a VM running in 'node1' 2. Ran must-gather command with --node-name as 'node1' # oc adm must-gather --node-name=c01-ss-4132-m6m46-worker-0-vszjt --image=registry-proxy.engineering.redhat.com/rh-osbs/container-native-virtualization-cnv-must-gather-rhel9:v4.13.2-5 -- /usr/bin/gather --vms_details 3. Once the 'must-gather' completed, checked for the contents of the rulestables.txt file is non-empty # cat must-gather.local.4542196749137818555/registry-proxy-engineering-redhat-com-rh-osbs-container-native-virtualization-cnv-must-gather-rhel9-sha256-3dc7360aea4e3545957ce96b4d83db852f090443208261bc9a10880513fddf9e/namespaces/default/vms/fedora-khovtsowc0ighufq/virt-launcher-fedora-khovtsowc0ighufq-4v2t7.ruletables.txt table ip filter { chain INPUT { type filter hook input priority filter; policy accept; } . . # ls -lt must-gather.local.4542196749137818555/registry-proxy-engineering-redhat-com-rh-osbs-container-native-virtualization-cnv-must-gather-rhel9-sha256-3dc7360aea4e3545957ce96b4d83db852f090443208261bc9a10880513fddf9e/namespaces/default/vms/fedora-khovtsowc0ighufq/virt-launcher-fedora-khovtsowc0ighufq-4v2t7.ruletables.txt -rw-r--r--. 1 cloud-user cloud-user 1660 Jul 4 05:15 must-gather.local.4542196749137818555/registry-proxy-engineering-redhat-com-rh-osbs-container-native-virtualization-cnv-must-gather-rhel9-sha256-3dc7360aea4e3545957ce96b4d83db852f090443208261bc9a10880513fddf9e/namespaces/default/vms/fedora-khovtsowc0ighufq/virt-launcher-fedora-khovtsowc0ighufq-4v2t7.ruletables.txt With this information, verifying this bug
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.5 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:4421