Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-28931

[2208641] [4.12] must-gather doesn't collect ruletebles

XMLWordPrintable

    • CNV I/U Operators Sprint 239
    • No

      +++ This bug was initially created as a clone of Bug #2193081 +++

      Description of problem:
      Any iptables.txt doesn't gathered with must-gather.

      Version-Release number of selected component (if applicable):

      How reproducible:
      Always

      Steps to Reproduce:
      1.Create a VM and make sure it's running
      2.run must-gather command
      oc adm must-gather --image=registry.redhat.io/openshift-pipelines/pipelines-rhel8-operator@sha256:7f80c464361e1acb656abebdac9cc48562416d8e72a0c2394f188972f1150a32:v4.12 – /usr/bin/gather
      3.Navigate to the folder it opens and search for iptables.txt
      find . -name "iptables.txt"

      Actual results:
      The output doesn't contain any iptables.txt

      Expected results:
      iptables output files named iptables.txt exist in the output directory.

      Additional info:
      Also Tried on 4.13 cluster with the same result.

      — Additional comment from Simone Tiraboschi on 2023-05-04 09:59:34 UTC —

      > registry-proxy.engineering.redhat.com/rh-osbs/container-native-virtualization-cnv-must-gather-rhel8:v4.8.0

      please use the right must-gather version matching CNV version.

      — Additional comment from Ohad on 2023-05-07 15:12:17 UTC —

      Tried with the correct image for 4.12 and 4.13 with the same result

      — Additional comment from Simone Tiraboschi on 2023-05-08 07:20:47 UTC —

      It got renamed from ${ocvm}.iptables.txt to ${ocvm}.ruletables.txt with:
      https://github.com/kubevirt/must-gather/pull/115

      Or, should we prefer ruletables.txt over iptables.txt and amend the test?

      — Additional comment from on 2023-05-09 07:10:44 UTC —

      Yes please, because iptables is deprecated, main way is nftables
      iptables is just a fallback
      hence the rename

      Thanks

      — Additional comment from Simone Tiraboschi on 2023-05-09 08:31:14 UTC —

      OK, closing as WONTFIX as for the last comment.
      Ohad, please adapt the test to the new expected filename.

      — Additional comment from on 2023-05-09 11:02:28 UTC —

      well we did fix it by collecting nft when the binary exists, and collecting iptables otherwise
      (the PR you posted)
      however the test should be adapted indeed please

      — Additional comment from Debarati Basu-Nag on 2023-05-15 18:00:55 UTC —

      @oshoval@redhat.com This test was modified based on the changes you mentioned. We now look for a file with name as *ruletables.txt in the gathered data.
      In this file we expect sections:
      1)table ip filter
      2)table ip nat

      Lately we are not finding those sections in the file intermittently, hence the bug was logged. Was there any recent changes in this area? Are these headers still expected in the file?

      — Additional comment from on 2023-05-16 11:29:36 UTC —

      Hi
      In case nftables exists it wont print those two, but just the output of "nft list ruleset" (we moved to nftables, so it is logical newer versions have the nft binary)
      https://github.com/kubevirt/must-gather/pull/115/files#diff-a37e8e9a44092d71604b65f352bcb0a294fe0255d2854fc93d21efc92ee5ba41R81
      otherwise it will print the legacy output of "iptables -t filter -L" and "iptables -t nat -L"
      (in both cases the output is at *ruletables.txt)

      — Additional comment from Debarati Basu-Nag on 2023-05-16 20:27:12 UTC —

      @oshoval@redhat.com it looks like the first path is not getting executed:
      From the cluster I see nft list ruleset output:
      ==============================================
      'table ip nat {', '\tchain KUBE-MARK-MASQ

      {', '\t\tcounter packets 0 bytes 0', '\t}', '', '\tchain KUBE-MARK-DROP {', 'ttcounter packets 0 bytes 0', 't}

      ', '', '\tchain KUBE-POSTROUTING

      {', '\t\tmark & 0x00004000 != 0x00004000 counter packets 1397230 bytes 95066245 return', '\t\tcounter packets 0 bytes 0', '\t\tcounter packets 0 bytes 0', '\t}

      ', '', '\tchain POSTROUTING

      {', '\t\ttype nat hook postrouting priority 100; policy accept;', '\t\tcounter packets 8902746 bytes 545378573 jump OVN-KUBE-EGRESS-SVC', '\t\toifname "ovn-k8s-mp0" counter packets 7508556 bytes 450513422 jump OVN-KUBE-SNAT-MGMTPORT', '\t\tcounter packets 1397230 bytes 95066245 jump KUBE-POSTROUTING', '\t}

      ', '', '\tchain KUBE-KUBELET-CANARY

      {', '\t}', '', '\tchain OVN-KUBE-SNAT-MGMTPORT {', '\t\toifname "ovn-k8s-mp0" counter packets 7508556 bytes 450513422', '\t}', '', '\tchain OVN-KUBE-ITP {', 't}

      ', '', '\tchain OVN-KUBE-EGRESS-SVC

      {', '\t\tcounter packets 0 bytes 0 return', '\t}

      ', '', '\tchain OVN-KUBE-NODEPORT

      {', '\t}', '', '\tchain OVN-KUBE-EXTERNALIP {', 't}

      ', '', '\tchain OVN-KUBE-ETP

      {', '\t}', '', '\tchain OUTPUT {', '\t\ttype nat hook output priority -100; policy accept;', '\t\tcounter packets 8902746 bytes 545378573 jump OVN-KUBE-EXTERNALIP', '\t\tcounter packets 8902746 bytes 545378573 jump OVN-KUBE-NODEPORT', '\t\tcounter packets 8902746 bytes 545378573 jump OVN-KUBE-ITP', '\t}', '', '\tchain PREROUTING {', '\t\ttype nat hook prerouting priority -100; policy accept;', '\t\tcounter packets 2440138 bytes 149764585 jump OVN-KUBE-ETP', '\t\tcounter packets 2440138 bytes 149764585 jump OVN-KUBE-EXTERNALIP', '\t\tcounter packets 2440138 bytes 149764585 jump OVN-KUBE-NODEPORT', '\t}', '}', 'table ip6 nat {', '\tchain KUBE-MARK-MASQ {', '\t\tcounter packets 0 bytes 0', '\t}', '', '\tchain KUBE-MARK-DROP {', 'ttcounter packets 0 bytes 0', 't}', '', '\tchain KUBE-POSTROUTING {', '\t\tmark & 0x00004000 != 0x00004000 counter packets 738499 bytes 58507102 return', '\t\tcounter packets 0 bytes 0', '\t\tcounter packets 0 bytes 0', '\t}', '', '\tchain POSTROUTING {', '\t\ttype nat hook postrouting priority 100; policy accept;', '\t\tcounter packets 738499 bytes 58507102 jump KUBE-POSTROUTING', '\t}', '', '\tchain KUBE-KUBELET-CANARY {', 't}

      ', '}', 'table ip mangle {', '\tchain KUBE-IPTABLES-HINT

      {', '\t}', '', '\tchain KUBE-KUBELET-CANARY {', 't}

      ', '', '\tchain OVN-KUBE-ITP

      {', '\t}', '', '\tchain OUTPUT {', '\t\ttype route hook output priority -150; policy accept;', '\t\tcounter packets 1035844647 bytes 923991783278 jump OVN-KUBE-ITP', '\t}', '}', 'table ip filter {', '\tchain KUBE-FIREWALL {', '\t\tpayload @nh,96,8 != 0x7f [invalid type] payload @nh,128,8 0x7f [invalid type] counter packets 0 bytes 0 drop', '\t\tmark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop', '\t}', '', '\tchain OUTPUT {', '\t\ttype filter hook output priority 0; policy accept;', '\t\tmeta l4proto tcp counter packets 0 bytes 0', '\t\tmeta l4proto tcp counter packets 0 bytes 0', '\t\tcounter packets 1036061108 bytes 924146673545 jump KUBE-FIREWALL', '\t}', '', '\tchain INPUT {', '\t\ttype filter hook input priority 0; policy accept;', '\t\tcounter packets 1041385844 bytes 646095233935 jump KUBE-FIREWALL', '\t}', '', '\tchain KUBE-KUBELET-CANARY {', 't}

      ', '', '\tchain FORWARD

      {', '\t\ttype filter hook forward priority 0; policy accept;', '\t\tmeta l4proto tcp counter packets 0 bytes 0', '\t\tmeta l4proto tcp counter packets 0 bytes 0', '\t}

      ', '}', 'table ip6 mangle {', '\tchain KUBE-IPTABLES-HINT

      {', '\t}', '', '\tchain KUBE-KUBELET-CANARY {', 't}

      ', '}', 'table ip6 filter {', '\tchain KUBE-FIREWALL

      {', '\t\tmark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop', '\t}

      ', '', '\tchain KUBE-KUBELET-CANARY

      {', '\t}

      ', '}', 'table ip raw {', '\tchain PREROUTING

      {', '\t\ttype filter hook prerouting priority -300; policy accept;', '\t\tmeta l4proto udp counter packets 0 bytes 0', '\t}', '', '\tchain OUTPUT {', '\t\ttype filter hook output priority -300; policy accept;', '\t\tmeta l4proto udp counter packets 0 bytes 0', '\t}', '}', 'table ip6 raw {', '\tchain PREROUTING {', 'tttype filter hook prerouting priority -300; policy accept;', 'ttmeta l4proto udp counter packets 0 bytes 0', 't}

      ', '', '\tchain OUTPUT

      {', '\t\ttype filter hook output priority -300; policy accept;', '\t\tmeta l4proto udp counter packets 0 bytes 0', '\t}

      ', '}', 'table bridge nat {', '\tchain PREROUTING

      {', '\t\ttype filter hook prerouting priority -300; policy accept;', '\t}

      ', '}
      ==========================
      However the file collected is zero bytes.
      I am going to reopen this one for 4.13.0.

      I will add the must gather collected under: https://drive.google.com/drive/folders/1s2rgHft0wA5syd2meMkRlcpk4fvj0qJu

      — Additional comment from on 2023-05-17 06:17:30 UTC —

      I think i know why it happens, "no-fork" string that it looks for was changed
      will fix it soon

      Thanks

      — Additional comment from on 2023-05-17 13:15:57 UTC —

      I was wrong with my assumption, this was already fixed by https://github.com/kubevirt/must-gather/pull/148

      — Additional comment from Debarati Basu-Nag on 2023-05-17 17:37:48 UTC —

      We are seeing this on 4.12.3, 4.11.z as well as 4.13.0.

            rhn-support-dshah Dharmit Shah (Inactive)
            rhn-support-dbasunag Debarati Basu-Nag
            Satheesaran Sundaramoorthi Satheesaran Sundaramoorthi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: