Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19461

ovn-ipsec pods CLBO when IPSec NS extension/svc is enabled

    XMLWordPrintable

Details

    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      ovn-ipsec pods Crashes when IPSec NS extension/svc is enabled on any $ROLE nodes
      
      IPSec ext and svc were enabled for 2 WORKERS only and their corresponding ovn-ipsec pods are in CLBO
      
      
      [root@dell-per740-36 ipsec]# oc get pods 
      NAME                                       READY   STATUS             RESTARTS         AGE
      dell-per740-14rhtsengpek2redhatcom-debug   1/1     Running            0                3m37s
      ovn-ipsec-bptr6                            0/1     CrashLoopBackOff   26 (3m58s ago)   130m
      ovn-ipsec-bv88z                            1/1     Running            0                3h5m
      ovn-ipsec-pre414-6pb25                     1/1     Running            0                3h5m
      ovn-ipsec-pre414-b6vzh                     1/1     Running            0                3h5m
      ovn-ipsec-pre414-jzwcm                     1/1     Running            0                3h5m
      ovn-ipsec-pre414-vgwqx                     1/1     Running            3                132m
      ovn-ipsec-pre414-xl4hb                     1/1     Running            3                130m
      ovn-ipsec-qb2bj                            1/1     Running            0                3h5m
      ovn-ipsec-r4dfw                            1/1     Running            0                3h5m
      ovn-ipsec-xhdpw                            0/1     CrashLoopBackOff   28 (116s ago)    132m
      ovnkube-control-plane-698c9845b8-4v58f     2/2     Running            0                3h5m
      ovnkube-control-plane-698c9845b8-nlgs8     2/2     Running            0                3h5m
      ovnkube-control-plane-698c9845b8-wfkd4     2/2     Running            0                3h5m
      ovnkube-node-l6sr5                         8/8     Running            27 (66m ago)     130m
      ovnkube-node-mj8bs                         8/8     Running            27 (75m ago)     132m
      ovnkube-node-p24x8                         8/8     Running            0                178m
      ovnkube-node-rlpbh                         8/8     Running            0                178m
      ovnkube-node-wdxbg                         8/8     Running            0                178m
      [root@dell-per740-36 ipsec]# 
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-09-12-024050

      How reproducible:

      Always

      Steps to Reproduce:

      1.Install OVN IPSec cluster (East-West) 
      2.Enable IPSec OS extension for North-South
      3.Enable IPSec service for North-South
      

      Actual results:

      ovn-ipsec pods in CLBO state

      Expected results:

      All pods under ovn-kubernetes ns should be Running fine

      Additional info:

      One of the ovn-ipsec CLBO pods logs
      
      # oc logs ovn-ipsec-bptr6
      Defaulted container "ovn-ipsec" out of: ovn-ipsec, ovn-keys (init)
      + rpm --dbpath=/usr/share/rpm -q libreswan
      libreswan-4.9-4.el9_2.x86_64
      + counter=0
      + '[' -f /etc/cni/net.d/10-ovn-kubernetes.conf ']'
      + echo 'ovnkube-node has configured node.'
      ovnkube-node has configured node.
      + ip x s flush
      + ip x p flush
      + ulimit -n 1024
      + /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig
      + /usr/libexec/ipsec/_stackmanager start
      + /usr/sbin/ipsec --checknss
      + /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --logfile /var/log/openvswitch/libreswan.log
      FATAL ERROR: /usr/libexec/ipsec/pluto: lock file "/run/pluto/pluto.pid" already exists
      leak: string logger, item size: 48
      leak: string logger prefix, item size: 27
      leak detective found 2 leaks, total size 75
      
      journalctl -u ipsec here: https://privatebin.corp.redhat.com/?216142833d016b3c#2Es8ACSyM3VWvwi85vTaYtSx8X3952ahxCvSHeY61UtT
      
      

      Attachments

        Issue Links

          Activity

            People

              ykashtan Yuval Kashtan
              anusaxen Anurag Saxena
              Anurag Saxena Anurag Saxena
              Huiran Wang, Ross Brattain
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: