openvswitch

Bug #1985062
Comment #3

Comment 3 for bug 1985062

Revision history for this message

Alin-Gabriel Serdean (alin-serdean) wrote on 2022-09-27:

Steps to reproduce

* Use a python client to connect to the Southbound Database.
* Once it is connected add an iptables rule to reject that traffic with TCP reset.
* Restart the application after installing the rule mentioned above and you will receive the following callstack:
File "/usr/lib/python3/dist-packages/ovs/db/idl.py", line 398, in run
    self._session.run()
  File "/usr/lib/python3/dist-packages/ovs/jsonrpc.py", line 532, in run
    self.__connect()
  File "/usr/lib/python3/dist-packages/ovs/jsonrpc.py", line 467, in __connect
    error, self.stream = ovs.stream.Stream.open(name)
  File "/usr/lib/python3/dist-packages/ovs/stream.py", line 196, in open
    err = cls.check_connection_completion(sock)
  File "/usr/lib/python3/dist-packages/ovs/stream.py", line 777, in check_connection_completion
    return Stream.check_connection_completion(sock)
  File "/usr/lib/python3/dist-packages/ovs/stream.py", line 137, in check_connection_completion
    return ovs.socket_util.check_connection_completion(sock)
  File "/usr/lib/python3/dist-packages/ovs/socket_util.py", line 181, in check_connection_completion
    sock.send("\0".encode(), socket.MSG_DONTWAIT)
  File "/usr/lib/python3/dist-packages/eventlet/green/ssl.py", line 193, in send
    return self._call_trampolining(
  File "/usr/lib/python3/dist-packages/eventlet/green/ssl.py", line 157, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python3.8/ssl.py", line 1170, in send
    raise ValueError(
ValueError: non-zero flags not allowed in calls to send() on <class 'eventlet.green.ssl.GreenSSLSocket'>

Example using Openstack + neutron-ovn-metadata-agent (ovsdbapp):
* Check a compute instance which has neutron-ovn-metadata-agent connected to the SB DB:
$ sudo netstat -tuapn | grep 6642
tcp 0 0 10.230.57.99:38834 10.230.62.255:6642 ESTABLISHED 2209992/ovn-control
tcp 0 0 10.230.57.99:59670 10.230.58.204:6642 ESTABLISHED 3687447/neutron-ovn
tcp 0 0 10.230.57.99:45296 10.230.58.185:6642 ESTABLISHED 3687446/neutron-ovn
tcp 0 0 10.230.57.99:59668 10.230.58.204:6642 ESTABLISHED 3687426/neutron-ovn
* Add iptable rule to reject traffic:
$ sudo iptables -A OUTPUT -p tcp --destination-port 6642 -j REJECT --reject-with tcp-reset
* Restart the neutron-ovn-metadata-agent:
$ sudo systemctl restart neutron-ovn-metadata-agent.service
* Check log at /var/log/neutron/neutron-ovn-metadata-agent.log

Steps to reproduce

Example using Openstack + neutron-ovn-metadata-agent (ovsdbapp):
* Check a compute instance which has neutron-ovn-metadata-agent connected to the SB DB:
$ sudo netstat -tuapn | grep 6642
tcp        0      0 10.230.57.99:38834      10.230.62.255:6642      ESTABLISHED 2209992/ovn-control
tcp        0      0 10.230.57.99:59670      10.230.58.204:6642      ESTABLISHED 3687447/neutron-ovn
tcp        0      0 10.230.57.99:45296      10.230.58.185:6642      ESTABLISHED 3687446/neutron-ovn
tcp        0      0 10.230.57.99:59668      10.230.58.204:6642      ESTABLISHED 3687426/neutron-ovn
* Add iptable rule to reject traffic:
$ sudo iptables -A OUTPUT -p tcp --destination-port 6642 -j REJECT --reject-with tcp-reset
* Restart the neutron-ovn-metadata-agent:
$ sudo systemctl restart neutron-ovn-metadata-agent.service
* Check log at /var/log/neutron/neutron-ovn-metadata-agent.log