Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-2151

Syntax error appears to breaks the ovn egressFirewall policy during the cluster upgrade.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Blocker
    • None
    • None
    • OVN Kubernetes
    • None
    • False
    • False
    • Risk
    • undefined
    • 0
    • 0

    Description

      A customer using ovn and ovn egressfirewall upgraded their cluster from 4.7.11 to 4.7.23.
      Post upgrade, the customer claimed that their application stopped working.

      During the remote session, we noticed that their egressFirewall rules were not applied properly and the message reported under the status was "EgressFirewall Rules not correctly added". More at [0].

      Looking at the ovnkube-master-XXX logs, we noticed  [1] the following error which appears to be suspected.

      The workaround which seems to work in the case of the customer was to delete and recreate the policy.

      The error appeared after the egressfirewall.go call to add the rule  [2].

       

      [0]

      socleged-couloir-mma-debug default EgressFirewall Rules not correctly added
      socleged-couloir-mma-form default EgressFirewall Rules not correctly added
      socleged-couloir-mma-preprod default EgressFirewall Rules not correctly added
      socleged-couloir-mma-prod default EgressFirewall Rules not correctly added

       

      [1]

      2021-08-24T07:51:24.803769669Z E0824 07:51:24.803741 1 ovn.go:832] error adding ACL to joinsSwitch lx30404.posix.covea.priv failed, stderr: "ovn-nbctl: use \"[]\" to specify the empty set\n", OVN command '/usr/bin/ovn-nbctl --timeout=15 add logical_switch lx30404.posix.covea.priv acls ' failed: exit status 1

      2021-08-24T07:51:24.849003919Z E0824 07:51:24.848951 1 ovn.go:832] error adding ACL to joinsSwitch lx30410.posix.covea.priv failed, stderr: "ovn-nbctl: use \"[]\" to specify the empty set\n", OVN command '/usr/bin/ovn-nbctl --timeout=15 add logical_switch lx30410.posix.covea.priv acls ' failed: exit status 1

      2021-08-24T07:51:24.902281311Z E0824 07:51:24.902248 1 ovn.go:832] error adding ACL to joinsSwitch lx30410.posix.covea.priv failed, stderr: "ovn-nbctl: use \"[]\" to specify the empty set\n", OVN command '/usr/bin/ovn-nbctl --timeout=15 add logical_switch lx30410.posix.covea.priv acls ' failed: exit status 1

      2021-08-24T07:51:24.943855608Z E0824 07:51:24.942464 1 ovn.go:832] error adding ACL to joinsSwitch lx30410.posix.covea.priv failed, stderr: "ovn-nbctl: use \"[]\" to specify the empty set\n", OVN command '/usr/bin/ovn-nbctl --timeout=15 add logical_switch lx30410.posix.covea.priv acls ' failed: exit status 1

       

      [2]

      2021-08-24T08:27:27.752291915Z I0824 08:27:27.752242 1 egressfirewall.go:209] Adding egressFirewall default in namespace pgen-generateur-gp-prod
      2021-08-24T08:27:27.764368140Z 2021-08-24T08:27:27.764Z|01309|nbctl|INFO|Running command run – add logical_switch lx30405.posix.covea.priv acls 7c019043-3cae-4086-824b-d587a3f1f3de
      2021-08-24T08:27:27.768473337Z 2021-08-24T08:27:27.768Z|01310|nbctl|INFO|Running command run – add logical_switch lx30405.posix.covea.priv acls
      2021-08-24T08:27:27.768940643Z E0824 08:27:27.768908 1 ovn.go:832] error adding ACL to joinsSwitch lx30405.posix.covea.priv failed, stderr: "ovn-nbctl: use \"[]\" to specify the empty set\n", OVN command '/usr/bin/ovn-nbctl --timeout=15 add logical_switch lx30405.posix.covea.priv acls ' failed: exit status 1

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-rupatel Rupesh Patel
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: