openshift-sdn, ovn-kubernetes: adopt systemd-managed openvswitch if present

[squeed]

Needed to remove some of the readiness probes because they don't work, but this doesn't actually lose much coverage.

And liveness probes are not useful in this context.

This contains a hack to pass a strange case that an artifact of CI upgrade tests. It won't be in the wild, and could be removed.

Note to reviewers: hide whitespace changes :-)

[squeed]

/cc @mccv1r0 @dcbw

[mccv1r0]

Do you mean /var/log/openvswitch instead of openvswitch-host?

Is the goal to block here, and never return?

[squeed]

No, this is correct. /var/log/openvswitch is not a host directory.
The goal is to block here. We need to keep a process running so kubelet doesn't think the pod has died.

[mccv1r0]

No, this is correct. /var/log/openvswitch is not a host directory.

Then shouldn't e.g.

tail -F --pid=$(cat /var/run/openvswitch/ovs-vswitchd.pid) /var/log/openvswitch/ovs-vswitchd.log &

below also use /var/log/openvswitch-host ?

[squeed]

no... because that's for the containerized case.

[squeed]

e2e-gcp has a single freaking test failure. the network came up just fine.

[squeed]

/retest

[vishnoianil]

@squeed this is the only PR where gcp-ovn test passed, rest all PR are failing this test because CNO is degrading becayse br-int is not created on the nodes.

[abhat]

I think we should revert: openshift/machine-config-operator#1830 first.

[squeed]

test failures are all flakes or infra issues
/retest

[squeed]

Upgrades are failing, nuts:

● ovsdb-server.service - Open vSwitch Database Unit
   Loaded: loaded (/usr/lib/systemd/system/ovsdb-server.service; static; vendor preset: enabled)
   Active: active (running) since Wed 2020-06-17 08:33:56 UTC; 25min ago
  Process: 1177 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random ${OVS_USER_OPT} start $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1170 ExecStartPre=/bin/sh -c if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVS_USER_OPT=--ovs-user=${OVS_USER_ID}" >> /run/openvswitch.useropts; fi (code=exited, status=0/SUCCESS)
  Process: 1146 ExecStartPre=/bin/sh -c rm -f /run/openvswitch.useropts; /usr/bin/echo "OVS_USER_ID=${OVS_USER_ID}" > /run/openvswitch.useropts (code=exited, status=0/SUCCESS)
  Process: 1135 ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch (code=exited, status=1/FAILURE)
 Main PID: 1234 (ovsdb-server)
    Tasks: 1 (limit: 95371)
   Memory: 20.0M
   CGroup: /system.slice/ovsdb-server.service
           └─1234 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
openvswitch is running in systemd
==> /var/log/openvswitch-host/ovs-vswitchd.log <==
2020-06-17T08:59:30.577Z|09841|fatal_signal|WARN|could not unlink "/var/run/openvswitch/br0.snoop" (Permission denied)
2020-06-17T08:59:30.577Z|09842|stream_unix|ERR|/var/run/openvswitch/br0.snoop: binding failed: Permission denied
2020-06-17T08:59:30.577Z|09843|connmgr|ERR|failed to listen on punix:/var/run/openvswitch/br0.snoop: Permission denied
2020-06-17T08:59:30.583Z|09844|socket_util_unix|WARN|unlinking "/var/run/openvswitch/br0.mgmt": Permission denied
2020-06-17T08:59:30.583Z|09845|fatal_signal|WARN|could not unlink "/var/run/openvswitch/br0.mgmt" (Permission denied)
2020-06-17T08:59:30.583Z|09846|stream_unix|ERR|/var/run/openvswitch/br0.mgmt: binding failed: Permission denied
2020-06-17T08:59:30.583Z|09847|socket_util_unix|WARN|unlinking "/var/run/openvswitch/br0.snoop": Permission denied
2020-06-17T08:59:30.583Z|09848|fatal_signal|WARN|could not unlink "/var/run/openvswitch/br0.snoop" (Permission denied)
2020-06-17T08:59:30.583Z|09849|stream_unix|ERR|/var/run/openvswitch/br0.snoop: binding failed: Permission denied
2020-06-17T08:59:30.583Z|09850|connmgr|ERR|failed to listen on punix:/var/run/openvswitch/br0.snoop: Permission denied

[squeed]

Huh: chown[1135]: /usr/bin/chown: cannot access '/var/run/openvswitch': No such file or directory

[squeed]

Okay, that should fix it.
@mccv1r0 want to take a quick look? This isn't perfect, but it should get us moving forward.

[squeed]

/retest

[squeed]

So, this PR was failing because system openvswitch was added first, and we needed to handle an impossible upgrade case.

Now that the MCO pr has been reverted, we can get this in, then enable system openvswitch.

[squeed]

@juanluisvaladas all valid criticisms... but I didn't add that :-) Those are unchanged, left over from the containerized case.

[squeed]

Tested this by manually running systemd enable openvswitch && reboot on a test cluster, worked perfectly.

[trozet]

ovn-k8s part looks good to me.
/lgtm

[squeed]

Then since you mount /host you can check for the openvswitch unit file existing or you need to check the return code from systemctl status. On my setup 3 indicates the service exists but is not up, while 4 means service does not exist.

The unit file already exists, it's just not enabled by default. So we can't use whether or not the service exists as a predicate.

We could use is-enabled as a predicate, but that's not reliable for a few reasons - first of all, and this is the case on RHCOS, units without an [Install] section are defined as enabled (even though they're not). Second of all, we might not enable the unit directly in the future; we could make it a dependency of a meta-service. That would break this predicate again.

I don't want to get in the business of checking for systemd configuration files on disk. They can live in a lot of places, so that's just setting ourselves up for trouble.

In any case, the chances of openvswitch.service being stopped on boot, then later enabled, are pretty slim. If it crashes, systemd will restart it. I think this is a reasonable test.

[squeed]

/retest

[squeed]

All required CI runs are green. Failing jobs are oddities - their network came up.

[trozet]

Then since you mount /host you can check for the openvswitch unit file existing or you need to check the return code from systemctl status. On my setup 3 indicates the service exists but is not up, while 4 means service does not exist.

The unit file already exists, it's just not enabled by default. So we can't use whether or not the service exists as a predicate.

We could use is-enabled as a predicate, but that's not reliable for a few reasons - first of all, and this is the case on RHCOS, units without an [Install] section are defined as enabled (even though they're not). Second of all, we might not enable the unit directly in the future; we could make it a dependency of a meta-service. That would break this predicate again.

I don't want to get in the business of checking for systemd configuration files on disk. They can live in a lot of places, so that's just setting ourselves up for trouble.

In any case, the chances of openvswitch.service being stopped on boot, then later enabled, are pretty slim. If it crashes, systemd will restart it. I think this is a reasonable test.

I see your point now. I did't realize OVS RPM was in 4.5 already, so checking unit file existence doesn't really help us. @dcbw fyi

[trozet]

lgtm but would like @mccv1r0 @dcbw to sign off on it

[trozet]

/hold

[trozet]

/hold cancel

[mccv1r0]

I fed this and the MCO PR to cluster-bot and things seemed to behave. The logging of e.g. echo "openvswitch is running in systemd" seemed to get lost. Is this going to be an issue?

[squeed]

I fed this and the MCO PR to cluster-bot and things seemed to behave. The logging of e.g. echo "openvswitch is running in systemd" seemed to get lost. Is this going to be an issue?

Huh. Well, did the PR do the right thing? Do you have a link to the CI run?

[mccv1r0]

I fed this and the MCO PR to cluster-bot and things seemed to behave. The logging of e.g. echo "openvswitch is running in systemd" seemed to get lost. Is this going to be an issue?

Huh. Well, did the PR do the right thing? Do you have a link to the CI run?

"things seemed to behave" The cluster did come up. I didn't get a link just kubeconfig so I can run oc logs

[squeed]

@mccv1r0 if this looks good to you, can you /lgtm?

[mccv1r0]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mccv1r0, squeed, trozet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [squeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@squeed: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-windows-hybrid-network	80e0098	link	/test e2e-windows-hybrid-network
ci/prow/e2e-vsphere	80e0098	link	/test e2e-vsphere

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.