Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18892

ovn-ipsec pods CLBO when IPSec NS extension/svc is enabled


    • Critical
    • No
    • Rejected
    • False
    • Hide



      Description of problem:

      ovn-ipsec pods Crashes when IPSec NS extension/svc is enabled on any $ROLE nodes
      IPSec ext and svc were enabled for 2 WORKERS only and their corresponding ovn-ipsec pods are in CLBO
      [root@dell-per740-36 ipsec]# oc get pods 
      NAME                                       READY   STATUS             RESTARTS         AGE
      dell-per740-14rhtsengpek2redhatcom-debug   1/1     Running            0                3m37s
      ovn-ipsec-bptr6                            0/1     CrashLoopBackOff   26 (3m58s ago)   130m
      ovn-ipsec-bv88z                            1/1     Running            0                3h5m
      ovn-ipsec-pre414-6pb25                     1/1     Running            0                3h5m
      ovn-ipsec-pre414-b6vzh                     1/1     Running            0                3h5m
      ovn-ipsec-pre414-jzwcm                     1/1     Running            0                3h5m
      ovn-ipsec-pre414-vgwqx                     1/1     Running            3                132m
      ovn-ipsec-pre414-xl4hb                     1/1     Running            3                130m
      ovn-ipsec-qb2bj                            1/1     Running            0                3h5m
      ovn-ipsec-r4dfw                            1/1     Running            0                3h5m
      ovn-ipsec-xhdpw                            0/1     CrashLoopBackOff   28 (116s ago)    132m
      ovnkube-control-plane-698c9845b8-4v58f     2/2     Running            0                3h5m
      ovnkube-control-plane-698c9845b8-nlgs8     2/2     Running            0                3h5m
      ovnkube-control-plane-698c9845b8-wfkd4     2/2     Running            0                3h5m
      ovnkube-node-l6sr5                         8/8     Running            27 (66m ago)     130m
      ovnkube-node-mj8bs                         8/8     Running            27 (75m ago)     132m
      ovnkube-node-p24x8                         8/8     Running            0                178m
      ovnkube-node-rlpbh                         8/8     Running            0                178m
      ovnkube-node-wdxbg                         8/8     Running            0                178m
      [root@dell-per740-36 ipsec]# 

      Version-Release number of selected component (if applicable):


      How reproducible:


      Steps to Reproduce:

      1.Install OVN IPSec cluster (East-West) 
      2.Enable IPSec OS extension for North-South
      3.Enable IPSec service for North-South

      Actual results:

      ovn-ipsec pods in CLBO state

      Expected results:

      All pods under ovn-kubernetes ns should be Running fine

      Additional info:

      One of the ovn-ipsec CLBO pods logs
      # oc logs ovn-ipsec-bptr6
      Defaulted container "ovn-ipsec" out of: ovn-ipsec, ovn-keys (init)
      + rpm --dbpath=/usr/share/rpm -q libreswan
      + counter=0
      + '[' -f /etc/cni/net.d/10-ovn-kubernetes.conf ']'
      + echo 'ovnkube-node has configured node.'
      ovnkube-node has configured node.
      + ip x s flush
      + ip x p flush
      + ulimit -n 1024
      + /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig
      + /usr/libexec/ipsec/_stackmanager start
      + /usr/sbin/ipsec --checknss
      + /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --logfile /var/log/openvswitch/libreswan.log
      FATAL ERROR: /usr/libexec/ipsec/pluto: lock file "/run/pluto/pluto.pid" already exists
      leak: string logger, item size: 48
      leak: string logger prefix, item size: 27
      leak detective found 2 leaks, total size 75
      journalctl -u ipsec here: https://privatebin.corp.redhat.com/?216142833d016b3c#2Es8ACSyM3VWvwi85vTaYtSx8X3952ahxCvSHeY61UtT

            ykashtan Yuval Kashtan
            anusaxen Anurag Saxena
            Anurag Saxena Anurag Saxena
            Huiran Wang, Ross Brattain
            0 Vote for this issue
            7 Start watching this issue