Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-52367: Fix collecting IPsec data for upgrade #482

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-52367: Fix collecting IPsec data for upgrade #482

wants to merge 1 commit into from

Conversation

pperiyasamy
Copy link
Member

After IPsec is upgraded from 4.14 into later versions, API option for IPsec in networks.operator.openshift.io cluster object continues to have {} in the ipsecConfig and may not be migrated to newer version containing IPsec mode option. This is supported in OCP for backward compatibility, so mg needs fixing to collect IPsec data when API configured with old option.

@pperiyasamy
Fix collecting IPsec data for upgrade
e4e2e33 
After IPsec is upgraded from 4.14 into later versions, API option for IPsec in
networks.operator.openshift.io cluster object continues to have {} in the ipsecConfig
and may not be migrated to newer version containing IPsec mode option. This is supported
in OCP for backward compatibility, so mg needs fixing to collect ipsec data when API
configured with old option.

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
@openshift-ci openshift-ci bot requested review from ingvagabund and sferich888 March 3, 2025 09:37
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pperiyasamy
Once this PR has been reviewed and has the lgtm label, please assign sferich888 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pperiyasamy
Copy link
Member Author

/assign @huiran0826

@pperiyasamy
Copy link
Member Author

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 3, 2025

@pperiyasamy: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@huiran0826
Copy link

pre-merge tested it, looks good

oc get network.operator -o jsonpath='{.items[*].spec.defaultNetwork}'    
{"ovnKubernetesConfig":{"egressIPConfig":{},"gatewayConfig":{"ipv4":{},"ipv6":{},"routingViaHost":false},"genevePort":6081,"ipsecConfig":{},"mtu":8855,"policyAuditConfig":{"destination":"null","maxFileSize":50,"maxLogFiles":5,"rateLimit":20,"syslogFacility":"local0"}},"type":"OVNKubernetes"}
% ls -lrt
total 48
-rw-r--r--   1 huirwang  staff  1672 Mar  4 19:46 ovn-ipsec-host-m26pz_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  4 19:46 ovn-ipsec-host-hj97b_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  4 19:46 ovn-ipsec-host-xbgbz_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  4 19:46 ovn-ipsec-host-n9rdl_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  4 19:46 ovn-ipsec-host-dxbk8_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  4 19:46 ovn-ipsec-host-cqv42_ipsec.conf
drwxr-xr-x   5 huirwang  staff   160 Mar  4 19:54 ovn-ipsec-host-cqv42_ipsec.d
drwxr-xr-x   5 huirwang  staff   160 Mar  4 19:54 ovn-ipsec-host-dxbk8_ipsec.d
drwxr-xr-x   5 huirwang  staff   160 Mar  4 19:54 ovn-ipsec-host-hj97b_ipsec.d
drwxr-xr-x   5 huirwang  staff   160 Mar  4 19:54 ovn-ipsec-host-m26pz_ipsec.d
drwxr-xr-x   5 huirwang  staff   160 Mar  4 19:54 ovn-ipsec-host-n9rdl_ipsec.d
drwxr-xr-x   5 huirwang  staff   160 Mar  4 19:54 ovn-ipsec-host-xbgbz_ipsec.d
drwxr-xr-x   8 huirwang  staff   256 Mar  4 19:54 status
drwxr-xr-x   8 huirwang  staff   256 Mar  4 19:54 trafficstatus
drwxr-xr-x  14 huirwang  staff   448 Mar  4 19:54 xfrm

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Mar 4, 2025
@huiran0826
Copy link

Double checked for full mode, ipsec logs were collected in must-gather

 % oc get network.operator -o jsonpath='{.items[*].spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig}' | jq .
{
  "mode": "Full"
}
% ls -lrt
total 48
-rw-r--r--   1 huirwang  staff  1672 Mar  5 18:16 ovn-ipsec-host-q7vhv_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  5 18:16 ovn-ipsec-host-kxssh_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  5 18:16 ovn-ipsec-host-k8bng_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  5 18:16 ovn-ipsec-host-gz4r8_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  5 18:16 ovn-ipsec-host-d22t5_ipsec.conf
-rw-r--r--   1 huirwang  staff  1672 Mar  5 18:16 ovn-ipsec-host-7gdf4_ipsec.conf
drwxr-xr-x   4 huirwang  staff   128 Mar  5 18:20 ovn-ipsec-host-7gdf4_ipsec.d
drwxr-xr-x   4 huirwang  staff   128 Mar  5 18:20 ovn-ipsec-host-d22t5_ipsec.d
drwxr-xr-x   4 huirwang  staff   128 Mar  5 18:20 ovn-ipsec-host-gz4r8_ipsec.d
drwxr-xr-x   4 huirwang  staff   128 Mar  5 18:20 ovn-ipsec-host-k8bng_ipsec.d
drwxr-xr-x   4 huirwang  staff   128 Mar  5 18:20 ovn-ipsec-host-kxssh_ipsec.d
drwxr-xr-x   4 huirwang  staff   128 Mar  5 18:20 ovn-ipsec-host-q7vhv_ipsec.d
drwxr-xr-x   8 huirwang  staff   256 Mar  5 18:20 status
drwxr-xr-x   8 huirwang  staff   256 Mar  5 18:20 trafficstatus
drwxr-xr-x  14 huirwang  staff   448 Mar  5 18:20 xfrm

@pperiyasamy
Copy link
Member Author

/assign @sferich888

@pperiyasamy pperiyasamy changed the title Fix collecting IPsec data for upgrade OCPBUGS-52367: Fix collecting IPsec data for upgrade Mar 5, 2025
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 5, 2025
@openshift-ci-robot
Copy link

@pperiyasamy: This pull request references Jira Issue OCPBUGS-52367, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @huiran0826

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

After IPsec is upgraded from 4.14 into later versions, API option for IPsec in networks.operator.openshift.io cluster object continues to have {} in the ipsecConfig and may not be migrated to newer version containing IPsec mode option. This is supported in OCP for backward compatibility, so mg needs fixing to collect IPsec data when API configured with old option.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from huiran0826 March 5, 2025 14:01
@sferich888
Copy link
Contributor

I worry that what we collect here could collect a large number of files (that can't be limited) if ipsec configuration are in place. Thus on a 500 node cluster the collection time and space requirements to collect this data may be a problem for customers; should we provide a way to limit the collection with a label?

@pperiyasamy
Copy link
Member Author

I worry that what we collect here could collect a large number of files (that can't be limited) if ipsec configuration are in place. Thus on a 500 node cluster the collection time and space requirements to collect this data may be a problem for customers; should we provide a way to limit the collection with a label?

@sferich888 The collected ipsec logs are mostly about collecting ipsec config files and few command outputs (like ip xfrm state, ip xfrm policy, ipsec whack --status and ipsec whack --trafficstatus). of course ip/ipsec command output has results for its peer nodes, but don't think it consumes lot of space though files are too many. The libreswan log (which may consume more space) is collected only for 4.14 deployment. From 4.15, this is collected only from sos report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ingvagabund ingvagabund Awaiting requested review from ingvagabund

@sferich888 sferich888 Awaiting requested review from sferich888

@huiran0826 huiran0826 Awaiting requested review from huiran0826

Assignees

@sferich888 sferich888

@huiran0826 huiran0826

Labels
jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pperiyasamy @huiran0826 @openshift-ci-robot @sferich888