Known Issues
This section lists the known issues in Cloud-Native Contrail Networking (CN2) Release 22.4.
General Routing
- CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows
between pods in isolated namespaces and between pods in isolated and non-isolated
namespaces.
Workaround: Do not configure fabric source NAT on an isolated namespace.
-
CN2-10038: The maximum number of virtual interfaces (VIFs) you can attach to a DPDK vRouter is 64. This includes the VIF used by the compute service pods running on the compute node.
General Features
-
CN2-3256: cSRX workloads with sub-interfaces are not compatible with CN2.
-
CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.
Workaround: Disable the juniperheader option to mirror both egress and ingress packets.
-
CN2-8729: If the nodeSelector field is not populated to run on a single node, the postflight check might show some error messages for UDP test. Also, ping and TCP tests will fail.
Workaround: In the contrail-readiness-postflight.yaml file, populate the nodeSelector field to run on a single node.
-
CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC, an mbuf leaf with traffic drop occurs.
Workaround: Limit two interfaces in a bond configuration for an X710 NIC.
-
CN2-10346: When restarting a vRouter pod on kernel-mode nodes where vhost0 is installed onto bond interfaces, the bond IP address might gets assigned to a bond secondary interface instead of a bond primary interface.
Run the following script for the workaround:
Bond-patch.txt text · 982 B #!/bin/bash set -x slave_list=($(ip addr show | grep SLAVE | awk '{ print $2 }' | sed 's/://')) for slave in "${slave_list[@]}"; do IFS=$' ' bond=$(ip addr show dev ${slave} | grep SLAVE | awk -F'master ' '{print $2}' | awk -F' ' '{print $1}') IFS=$'\n' route_list=($(ip route show | grep ${slave})) for route in "${route_list[@]}"; do echo "route: ${route}" new_route=$(echo ${route} | sed "s/${slave}/${bond}/g") route_cmd=$(echo "ip route replace ${new_route}" | sed -e 's|["'\'']||g') eval ${route_cmd} done ipv4=$(ip addr show dev ${slave} | grep 'inet ' | awk '{ print $2 }') ipv6=$(ip addr show dev ${slave} | grep 'inet6 ' | awk '{ print $2 }') echo "slave: '${slave}', bond: '${bond}', ipv4: '${ipv4}', ipv6: '${ipv6}'" if [[ -n "$ipv4" ]]; then ip addr del ${ipv4} dev ${slave} ip addr add ${ipv4} dev ${bond} fi if [[ -n "$ipv6" ]]; then ip addr del ${ipv6} dev ${slave} ip addr add ${ipv6} dev ${bond} fi
Redhat OpenShift
-
CN2-7787: The Kubevirt deployment in Openshift 4.10 fails intermittently. See the Red Hat OCPBUGS-2535 for information.
CN2 and Kubernetes
-
CN2-4822: You can not configure BGPaaS objects on nodes that host the Contrail controller and worker nodes on same physical host.
-
Workaround: None. Production deployments run the Kubernetes worker nodes and controller in different physical hosts.
-
CN2-8728: When you deploy CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.
Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.
-
CN2-9276: The custom default pod network does not support environments where Multus is installed. This includes Red Hat's OpenShift Container Platform and any Kubernetes distribution where Multus was manually installed.
-
CN2-10010: If you create more pods in a subnet than the number of available IP addresses, the usable IPs are blocked from the subnet when other active pods are deleted.
Workaround: Delete the pods that failed to release the blocked IPs.
-
CN2-10351: Kubevirt v0.58.0 does not support imagePullSecret, required for pulling images from the secure registry: enterprise-hub.juniper.net/contrail-container-prod/.
Following these steps for the workaround:
- Install Docker.
- Create a local insecure registry.
- Restart Docker.
- Download the required containers. The containers are located at Release Userspace CNI - dpdk vhostuser interface support Juniper/kubevirt. These containers are stored as Assets.
- Load the containers.
- Tag and push the containers to the new insecure registry.
- Download operator.yaml and cr.yaml.
- Modify the kubevirt-operator.yaml to use your insecure registry.
Security
-
CN2-4642: In CN2, the network policy uses the reserved tags
application
andnamespace.
These tags conflict with Contrail's reserved resources.Workaround: Do not use the application and namespace labels to identify the pod and namespace resources.
-
CN2-10012: If the network policy has a deny-all rule, removing it by updating the policy does not work.
Workaround: Delete the policy and re-add it again.