Skip to content

feat(must-gather): add OVN database analysis with ovsdb-tool #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2025
Merged

feat(must-gather): add OVN database analysis with ovsdb-tool #90

merged 1 commit into from
Nov 3, 2025
+795 −8

Conversation

@kyrtapz
Copy link
Contributor

@kyrtapz kyrtapz commented Oct 30, 2025
edited
Loading

Add OVN Northbound database analysis for interconnect mode clusters using ovsdb-tool to query database files.
Assisted-by: Claude [email protected]

I modified the path's in the must-gather skill to better reflect where the scripts are stored after installing the plugin.
In some cases I still had to nudge claude to ~/.claude/plugins to make it realize where the scripts are.

Example output:

================================================================================
Node: ip-10-0-1-230.ec2.internal
Pod:  ovnkube-node-5bjh5
================================================================================
  Logical Switches:      4
  Logical Switch Ports:  25
  ACLs:                  129
  Logical Routers:       2

  LOGICAL SWITCHES (4):
  NAME                                                         PORTS
  --------------------------------------------------------------------------------
  ip-10-0-1-230.ec2.internal                                   15
  transit_switch                                               6
  ext_ip-10-0-1-230.ec2.internal                               2
  join                                                         2

  POD LOGICAL SWITCH PORTS (13):
  NAMESPACE                                POD                                           IP
  ------------------------------------------------------------------------------------------------------------------------
  openshift-dns                            dns-default-mvcbg                             10.128.2.41
  openshift-e2e-loki                       loki-promtail-rw24w                           10.128.2.5
  openshift-ingress                        router-default-57bbcc6974-5rsbj               10.128.2.17
  openshift-ingress-canary                 ingress-canary-4pb7j                          10.128.2.27
  openshift-insights                       insights-runtime-extractor-kpstr              10.128.2.37
  openshift-monitoring                     alertmanager-main-0                           10.128.2.19
  openshift-monitoring                     metrics-server-68cd57879c-86mbs               10.128.2.13
  openshift-monitoring                     monitoring-plugin-598df95fd8-ssvjv            10.128.2.10
  openshift-monitoring                     prometheus-operator-admission-webhook-79f6445 10.128.2.9
  openshift-monitoring                     thanos-querier-6dd4d89d9d-jksd2               10.128.2.11
  openshift-multus                         network-metrics-daemon-blj65                  10.128.2.39
  openshift-network-console                networking-console-plugin-587459fbf8-vlrrw    10.128.2.8
  openshift-network-diagnostics            network-check-target-6rj2l                    10.128.2.42

  ACCESS CONTROL LISTS (129):
  PRIORITY   DIRECTION       ACTION          MATCH
  ------------------------------------------------------------------------------------------------------------------------
  1012       to-lport        allow           outport == @a4743249366342378346 && (ip4.mcast || mldv1 || mldv2 || (i
  1012       from-lport      allow           inport == @a4743249366342378346 && (ip4.mcast || mldv1 || mldv2 || (ip
  1011       to-lport        drop            (ip4.mcast || mldv1 || mldv2 || (ip6.dst[120..127] == 0xff && ip6.dst[
  1011       from-lport      drop            (ip4.mcast || mldv1 || mldv2 || (ip6.dst[120..127] == 0xff && ip6.dst[
  1001       from-lport      allow           inport == @a8747502060113802905 && (( arp && arp.tpa == 10.128.2.2 ))
  1001       to-lport        allow           outport == @a8747502060113802905 && (( arp && arp.spa == 10.128.2.2 ))
  1001       to-lport        allow-related   ip4.src == 169.254.0.5
  1001       to-lport        allow-related   ip4.src==10.128.2.2
  1001       to-lport        allow-related   outport == @a8747502060113802905 && (ip4.src==10.128.2.2)
  1001       from-lport      allow-related   ip4.src == 169.254.0.5
  1001       from-lport      allow           inport == @a12647790410160049546 && (arp || nd)
  1001       to-lport        allow           outport == @a14840337217554452252 && (arp || nd)
  1001       from-lport      allow-related   ip4 && inport == @a16844160219589135134
  1001       to-lport        allow-related   ip4 && tcp && tcp.dst=={7443,8443,9443} && outport == @a16844160219589
  1001       from-lport      allow           inport == @a7499760441077671558 && (arp || nd)
  ... and 114 more

  LOGICAL ROUTERS (2):
  NAME                                                         PORTS
  --------------------------------------------------------------------------------
  ovn_cluster_router                                           3
  GR_ip-10-0-1-230.ec2.internal                                2

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 30, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

Hi @kyrtapz. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyrtapz kyrtapz force-pushed the ovn_analyzer branch 2 times, most recently from 4210e83 to 4a58026 Compare October 30, 2025 10:22
@stbenjam
Copy link
Member

stbenjam commented Oct 30, 2025

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 30, 2025
@kyrtapz
feat(must-gather): add OVN database analysis with ovsdb-tool
b270020 
Add comprehensive OVN Northbound database analysis for interconnect
mode clusters using ovsdb-tool to query binary database files.

Assisted-by: Claude <[email protected]>
Signed-off-by: Patryk Diak <[email protected]>
@stbenjam
Copy link
Member

stbenjam commented Nov 3, 2025

I modified the path's in the must-gather skill to better reflect where the scripts are stored after installing the plugin.
In some cases I still had to nudge claude to ~/.claude/plugins to make it realize where the scripts are.

I've noticed the same, and where things end up depends on how the plugin was installed. This is probably accurate enough for claude to find in both local and remote marketplace installation. The ovsdb-tool looks useful

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 3, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 3, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kyrtapz, stbenjam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 158c62d into openshift-eng:main Nov 3, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgoodwin dgoodwin Awaiting requested review from dgoodwin

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

Assignees

@stbenjam stbenjam

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kyrtapz @stbenjam