Known Limitations
This section describes the issues and limitations present in Cloud-Native Contrail Networking (CN2) Release 23.1.
General Routing
- CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows
between pods in isolated namespaces and between pods in isolated and non-isolated
namespaces.
Workaround: Do not configure fabric source NAT on an isolated namespace.
General Features
-
CN2-3256: cSRX workloads with sub-interfaces are not compatible with CN2.
-
CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.
Workaround: Disable the juniperheader option to mirror both egress and ingress packets.
-
CN2-8729: If the nodeSelector field is not populated to run on a single node, the postflight check might show some error messages for UDP test. Also, ping and TCP tests will fail.
Workaround: In the contrail-readiness-postflight.yaml file, populate the nodeSelector field to run on a single node.
-
CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC, an mbuf leaf with traffic drop occurs.
Workaround: Limit two interfaces in a bond configuration for an X710 NIC.
-
CN2-10346: When restarting a vRouter pod on kernel-mode nodes where vhost0 is installed onto bond interfaces, the bond IP address might gets assigned to a bond secondary interface instead of a bond primary interface.
Run the following script for the workaround:
Bond-patch.txt text · 982 B #!/bin/bash set -x slave_list=($(ip addr show | grep SLAVE | awk '{ print $2 }' | sed 's/://'))Revision History for slave in "${slave_list[@]}"; do IFS=$' ' bond=$(ip addr show dev ${slave} | grep SLAVE | awk -F'master ' '{print $2}' | awk -F' ' '{print $1}') IFS=$'\n' route_list=($(ip route show | grep ${slave})) for route in "${route_list[@]}"; do echo "route: ${route}" new_route=$(echo ${route} | sed "s/${slave}/${bond}/g") route_cmd=$(echo "ip route replace ${new_route}" | sed -e 's|["'\'']||g') eval ${route_cmd} done ipv4=$(ip addr show dev ${slave} | grep 'inet ' | awk '{ print $2 }') ipv6=$(ip addr show dev ${slave} | grep 'inet6 ' | awk '{ print $2 }') echo "slave: '${slave}', bond: '${bond}', ipv4: '${ipv4}', ipv6: '${ipv6}'" if [[ -n "$ipv4" ]]; then ip addr del ${ipv4} dev ${slave} ip addr add ${ipv4} dev ${bond} fi if [[ -n "$ipv6" ]]; then ip addr del ${ipv6} dev ${slave} ip addr add ${ipv6} dev ${bond} fi
-
CN2-13314: The gateway service instance (GSI) does not work with a 4-byte ASN.
Workaround: Use a 2-byte ASN when connecting workloads through the GSI service.
Red Hat OpenShift
-
CN2-7787: The Kubevirt deployment in Openshift 4.10 fails intermittently.
See Red Hat OCPBUGS-2535 for a workaround.
-
CN2-13011: Red Hat OCP backup and restore fails.
See Red Hat https://access.redhat.com/solutions/6964756 for a workaround.
CN2 Apstra Integration
-
CN2-13607: In a CN2 Apstra deployment, Apstra takes several minutes to create a virtual network.
CN2 and Kubernetes
-
CN2-4822: You can not configure BGPaaS objects on nodes that host the Contrail controller and worker nodes on same physical host.
Workaround: None. Production deployments run the Kubernetes worker nodes and controller in different physical hosts
-
CN2-8728: When you deploy CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.
Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.
-
CN2-10351: Kubevirt v0.58.0 does not support imagePullSecret, required for pulling images from the secure registry: enterprise-hub.juniper.net/contrail-container-prod/.
Following these steps for the workaround:
- Install Docker.
- Create a local insecure registry.
- Restart Docker.
- Download the required containers. The containers are located at Release Userspace CNI - dpdk vhostuser interface support Juniper/kubevirt. These containers are stored as Assets.
- Load the containers.
- Tag and push the containers to the new insecure registry.
- Download operator.yaml and cr.yaml.
- Modify the kubevirt-operator.yaml to use your insecure registry.
Security
-
CN2-4642: In CN2, the network policy uses the reserved tags
application
andnamespace.
These tags conflict with Contrail's reserved resources.Workaround: Do not use the application and namespace labels to identify the pod and namespace resources.
-
CN2-10012: If the network policy has a deny-all rule, removing it by updating the policy does not work.
Workaround: Delete the policy and re-add it again.